cbcvebase.

Icewhaletech Zimaos vulnerabilities

12 known vulnerabilities affecting icewhaletech/zimaos.

Total CVEs
12
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL3HIGH5MEDIUM4

Vulnerabilities

Page 1 of 1
CVE-2026-21891P1CRITICALCVSS 9.8ExploitedPoC≤ 1.5.02026-01-08
CVE-2026-21891 [CRITICAL] CWE-287 CVE-2026-21891: ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In ve ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a known system service account. The application's login
nvd
CVE-2024-49357P2HIGHCVSS 7.5PoC≤ 1.2.42024-10-24
CVE-2024-49357 [HIGH] CWE-200 CVE-2024-49357: ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In ve ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http:///v1/users/image?path=/var/lib/casaos/1/app_order.json` and `http:///v1/users/image?path=/var/lib/casaos/1/system.json`, expose sensitive data like installed applications an
nvd
CVE-2026-28798P2CRITICALCVSS 10.0fixed in 1.5.32026-04-03
CVE-2026-28798 [CRITICAL] CWE-918 CVE-2026-28798: ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests to internal localhost services. This results in unauthenticated acces
nvd
CVE-2026-28286P2CRITICALCVSS 9.9v= 1.5.2-beta32026-03-02
CVE-2026-28286 [CRITICAL] CWE-73 CVE-2026-28286: ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In ve ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, the restrictions are bypass-able. By sending a crafted
nvd
CVE-2026-28442P3HIGHCVSS 8.5v= 1.5.2-beta32026-03-05
CVE-2026-28442 [HIGH] CWE-73 CVE-2026-28442: ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In ve ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be bypassed. By altering the path parameter in the delete re
nvd
CVE-2024-48931P3HIGHCVSS 7.5≤ 1.2.42024-10-24
CVE-2024-48931 [HIGH] CWE-22 CVE-2024-48931: ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In ve ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint `http:///v3/file?token=&files=` is vulnerable to arbitrary file reading due to improper input validation. By manipulating the `files` parameter, authenticated users can read sensitive system fil
nvd
CVE-2024-49359P3HIGHCVSS 7.5≤ 1.2.42024-10-24
CVE-2024-49359 [HIGH] CWE-552 CVE-2024-49359: ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In ve ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http:///v2_1/file` in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contents of any directory on the server. By manipulating the path parameter, attac
nvd
CVE-2025-58432P3HIGHCVSS 7.8≤ 1.4.12025-09-17
CVE-2025-58432 [HIGH] CWE-250 CVE-2025-58432: ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In ve ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and all prior versions, the /v2_1/files/file/uploadV2 endpoint allows file upload from ANY USER who has access to localhost. File uploads are performed AS ROOT.
nvd
CVE-2025-64427P3MEDIUMCVSS 6.5fixed in 1.5.02026-03-02
CVE-2025-64427 [MEDIUM] CWE-200 CVE-2025-64427: ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In ve ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private network ranges). This allows the attacker to
nvd
CVE-2025-58431P4MEDIUMCVSS 6.2≤ 1.4.12025-09-17
CVE-2025-58431 [MEDIUM] CWE-250 CVE-2025-58431: ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In ve ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and earlier, the /v2_1/files/file/download endpoint allows file read from ANY USER who has access to localhost. File reads are performed AS ROOT.
nvd
CVE-2024-49358P4MEDIUMCVSS 5.3≤ 1.2.42024-10-24
CVE-2024-49358 [MEDIUM] CWE-203 CVE-2024-49358: ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In ve ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http:///v1/users/login` in ZimaOS returns distinct responses based on whether a username exists or the password is incorrect. This behavior can be exploited for username enumeration, allowing attac
nvd
CVE-2024-48932P4MEDIUMCVSS 5.3fixed in 1.5.02024-10-24
CVE-2024-48932 [MEDIUM] CWE-284 CVE-2024-48932: ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In ve ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint `http:///v1/users/name` allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be exploited by an attacker to enumerate usernames and le
nvd
Icewhaletech Zimaos vulnerabilities | cvebase