{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28207", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T15:28:40.648Z", "datePublished": "2026-02-26T22:17:58.898Z", "dateUpdated": "2026-03-02T20:48:09.055Z"}, "containers": {"cna": {"title": "Zen-C Vulnerable to Command Injection via Malicious Output Filename", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/z-libs/Zen-C/security/advisories/GHSA-9rff-x96h-76h2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/z-libs/Zen-C/security/advisories/GHSA-9rff-x96h-76h2"}], "affected": [{"vendor": "z-libs", "product": "Zen-C", "versions": [{"version": "< 0.4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T22:17:58.898Z"}, "descriptions": [{"lang": "en", "value": "Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.2, a command injection vulnerability (CWE-78) in the Zen C compiler allows local attackers to execute arbitrary shell commands by providing a specially crafted output filename via the `-o` command-line argument. The vulnerability existed in the `main` application logic (specifically in `src/main.c`), where the compiler constructed a shell command string to invoke the backend C compiler. This command string was built by concatenating various arguments, including the user-controlled output filename, and was subsequently executed using the `system()` function. Because `system()` invokes a shell to parse and execute the command, shell metacharacters within the output filename were interpreted by the shell, leading to arbitrary command execution. An attacker who can influence the command-line arguments passed to the `zc` compiler (like through a build script or a CI/CD pipeline configuration) can execute arbitrary commands with the privileges of the user running the compiler. The vulnerability has been fixed in version 0.4.2 by removing `system()` calls, implementing `ArgList`, and internal argument handling. Users are advised to update to Zen C version v0.4.2 or later."}], "source": {"advisory": "GHSA-9rff-x96h-76h2", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-27T16:57:44.054Z"}, "references": [{"url": "https://f0nduesav0yarde.github.io/blog/vulnerabilities/cve-2026-28207/"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}, {"references": [{"url": "https://github.com/z-libs/Zen-C/security/advisories/GHSA-9rff-x96h-76h2", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-02T20:48:05.636087Z", "id": "CVE-2026-28207", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T20:48:09.055Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://f0nduesav0yarde.github.io/blog/vulnerabilities/cve-2026-28207/"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-27T16:57:44.054Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28207", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-02T20:48:05.636087Z"}}}], "references": [{"url": "https://github.com/z-libs/Zen-C/security/advisories/GHSA-9rff-x96h-76h2", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-02T20:47:55.519Z"}}], "cna": {"title": "Zen-C Vulnerable to Command Injection via Malicious Output Filename", "source": {"advisory": "GHSA-9rff-x96h-76h2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "z-libs", "product": "Zen-C", "versions": [{"status": "affected", "version": "< 0.4.2"}]}], "references": [{"url": "https://github.com/z-libs/Zen-C/security/advisories/GHSA-9rff-x96h-76h2", "name": "https://github.com/z-libs/Zen-C/security/advisories/GHSA-9rff-x96h-76h2", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.2, a command injection vulnerability (CWE-78) in the Zen C compiler allows local attackers to execute arbitrary shell commands by providing a specially crafted output filename via the `-o` command-line argument. The vulnerability existed in the `main` application logic (specifically in `src/main.c`), where the compiler constructed a shell command string to invoke the backend C compiler. This command string was built by concatenating various arguments, including the user-controlled output filename, and was subsequently executed using the `system()` function. Because `system()` invokes a shell to parse and execute the command, shell metacharacters within the output filename were interpreted by the shell, leading to arbitrary command execution. An attacker who can influence the command-line arguments passed to the `zc` compiler (like through a build script or a CI/CD pipeline configuration) can execute arbitrary commands with the privileges of the user running the compiler. The vulnerability has been fixed in version 0.4.2 by removing `system()` calls, implementing `ArgList`, and internal argument handling. Users are advised to update to Zen C version v0.4.2 or later."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T22:17:58.898Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28207", "state": "PUBLISHED", "dateUpdated": "2026-03-02T20:48:09.055Z", "dateReserved": "2026-02-25T15:28:40.648Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T22:17:58.898Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zenc-lang:zen_c:*:*:*:*:*:*:*:*", "matchCriteriaId": "E084A39F-FF3F-487E-8E8A-F8F3C322A5AE", "versionEndExcluding": "0.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.2, a command injection vulnerability (CWE-78) in the Zen C compiler allows local attackers to execute arbitrary shell commands by providing a specially crafted output filename via the `-o` command-line argument. The vulnerability existed in the `main` application logic (specifically in `src/main.c`), where the compiler constructed a shell command string to invoke the backend C compiler. This command string was built by concatenating various arguments, including the user-controlled output filename, and was subsequently executed using the `system()` function. Because `system()` invokes a shell to parse and execute the command, shell metacharacters within the output filename were interpreted by the shell, leading to arbitrary command execution. An attacker who can influence the command-line arguments passed to the `zc` compiler (like through a build script or a CI/CD pipeline configuration) can execute arbitrary commands with the privileges of the user running the compiler. The vulnerability has been fixed in version 0.4.2 by removing `system()` calls, implementing `ArgList`, and internal argument handling. Users are advised to update to Zen C version v0.4.2 or later."}, {"lang": "es", "value": "Zen C es un lenguaje de programaci\u00f3n de sistemas que compila a GNU C/C11 legible por humanos. Antes de la versi\u00f3n 0.4.2, una vulnerabilidad de inyecci\u00f3n de comandos (CWE-78) en el compilador Zen C permite a atacantes locales ejecutar comandos de shell arbitrarios proporcionando un nombre de archivo de salida especialmente dise\u00f1ado a trav\u00e9s del argumento de l\u00ednea de comandos '-o'. La vulnerabilidad exist\u00eda en la l\u00f3gica de la aplicaci\u00f3n 'main' (espec\u00edficamente en 'src/main.c'), donde el compilador constru\u00eda una cadena de comandos de shell para invocar al compilador C de backend. Esta cadena de comandos se constru\u00eda concatenando varios argumentos, incluyendo el nombre de archivo de salida controlado por el usuario, y posteriormente se ejecutaba usando la funci\u00f3n 'system()'. Debido a que 'system()' invoca un shell para analizar y ejecutar el comando, los metacaracteres de shell dentro del nombre de archivo de salida eran interpretados por el shell, lo que llevaba a la ejecuci\u00f3n arbitraria de comandos. Un atacante que puede influir en los argumentos de l\u00ednea de comandos pasados al compilador 'zc' (como a trav\u00e9s de un script de compilaci\u00f3n o una configuraci\u00f3n de pipeline de CI/CD) puede ejecutar comandos arbitrarios con los privilegios del usuario que ejecuta el compilador. La vulnerabilidad ha sido corregida en la versi\u00f3n 0.4.2 eliminando las llamadas a 'system()', implementando 'ArgList' y el manejo interno de argumentos. Se aconseja a los usuarios actualizar a la versi\u00f3n v0.4.2 de Zen C o posterior."}], "id": "CVE-2026-28207", "lastModified": "2026-05-01T14:38:16.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-26T23:16:35.277", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/z-libs/Zen-C/security/advisories/GHSA-9rff-x96h-76h2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://f0nduesav0yarde.github.io/blog/vulnerabilities/cve-2026-28207/"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/z-libs/Zen-C/security/advisories/GHSA-9rff-x96h-76h2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.4.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Zen-C", "source": "cna", "vendor": "z-libs"}, "product": "zen-c", "vendor": "z-libs"}], "analysis": {"en": {"generated_at": "2026-04-17T14:13:59.041953+00:00", "value": {"mitigation_remediation": ["Upgrade to Zen C 0.4.2 or later, which removes the system() call and implements safer argument handling.", "Audit and restrict build scripts, CI/CD pipelines, and any automated tools that invoke the compiler to ensure that no untrusted input is passed to the -o option.", "If an upgrade is not immediately possible, implement input validation or sanitization for the -o argument, rejecting or escaping shell metacharacters."], "summary": {"action": "Patch", "impact": "Command Injection"}, "threat_synthesis": {"affected_systems": "Z\u2011libs Zen\u2011C versions earlier than 0.4.2 are affected. The flaw exists in the main application logic located in src/main.c of the project. Users who invoke the zc compiler directly from a local machine, or who run automated build scripts or CI/CD pipelines that supply the -o argument, may be impacted.", "description_and_impact": "The Zen C compiler contains a command injection flaw in its front end. When the -o output filename option is supplied, the compiler concatenates the filename into a shell command that is executed via system(). Because shell metacharacters in the filename are interpreted, an attacker who can influence the -o value can run arbitrary commands with the privileges of the compiler process. The vulnerability is classified as CWE\u201178.", "risk_and_exploitability": "The CVSS score of 6.6 indicates a moderate severity. The EPSS score of less than 1% suggests that active exploitation is presently unlikely, and the vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, it is inferred that the attack vector is local because the attacker must supply a crafted value to the -o option when the compiler is run locally; remote exploitation is not supported by the information provided. The impact allows an attacker with local build\u2011system access to execute arbitrary commands, which could lead to full compromise of that environment and potentially privilege escalation if the compiler runs with elevated rights."}}}}, "created": "2026-02-27T09:03:56.442952+00:00", "updated": "2026-04-17T14:15:21.826862+00:00", "vendors": ["z-libs", "z-libs$PRODUCT$zen-c"]}