CVE-2026-30903
published 2026-03-11CVE-2026-30903: External Control of File Name or Path in the Mail feature of Zoom Workplace for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.33%
24.5th percentile
External Control of File Name or Path in the Mail feature of Zoom Workplace for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via network access.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zoom | workplace_desktop | < 6.6.0 | 6.6.0 |
| zoom | workplace_virtual_desktop_infrastructure | >= 6.4.0 < 6.4.17 | 6.4.17 |
| zoom | workplace_virtual_desktop_infrastructure | >= 6.5.0 < 6.5.15 | 6.5.15 |
| zoom | workplace_virtual_desktop_infrastructure | >= 6.6.0 < 6.6.10 | 6.6.10 |
| zoom_communications | zoom_workplace | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Zoom Workplace/VDI Client on Windows file inclusion (WID-SEC-2026-0653)
vuldb·2026-05-17·CVSS 9.8
CVE-2026-30903 [CRITICAL] Zoom Workplace/VDI Client on Windows file inclusion (WID-SEC-2026-0653)
A vulnerability was found in Zoom Workplace and VDI Client on Windows and classified as critical. Impacted is an unknown function. Executing a manipulation can lead to file inclusion.
This vulnerability appears as CVE-2026-30903. The attack may be performed from remote. There is no available exploit.
It is suggested to upgrade the affected component.
GHSA
GHSA-vjwh-3mcr-rqgm: External Control of File Name or Path in the Mail feature of Zoom Workplace for Windows before 6
ghsa_unreviewed·2026-03-11
CVE-2026-30903 [CRITICAL] CWE-73 GHSA-vjwh-3mcr-rqgm: External Control of File Name or Path in the Mail feature of Zoom Workplace for Windows before 6
External Control of File Name or Path in the Mail feature of Zoom Workplace for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via network access.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-03-11
Published