CVE-2026-28207
CVE-2026-28207 is a medium-severity vulnerability in Zenc-lang Zen C with a CVSS 3.x base score of 6.6. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-78.
Key facts
- Severity: Medium (CVSS 3.x base score 6.6)
- EPSS exploit prediction: 1% (56th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-8908
- Weakness: CWE-78
- Affected product: Zenc-lang Zen C
- Published:
- Last modified:
Description
Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.2, a command injection vulnerability (CWE-78) in the Zen C compiler allows local attackers to execute arbitrary shell commands by providing a specially crafted output filename via the `-o` command-line argument. The vulnerability existed in the `main` application logic (specifically in `src/main.c`), where the compiler constructed a shell command string to invoke the backend C compiler. This command string was built by concatenating various arguments, including the user-controlled output filename, and was subsequently executed using the `system()` function. Because `system()` invokes a shell to parse and execute the command, shell metacharacters within the output filename were interpreted by the shell, leading to arbitrary command execution. An attacker who can influence the command-line arguments passed to the `zc` compiler (like through a build script or a CI/CD pipeline configuration) can execute arbitrary commands with the privileges of the user running the compiler. The vulnerability has been fixed in version 0.4.2 by removing `system()` calls, implementing `ArgList`, and internal argument handling. Users are advised to update to Zen C version v0.4.2 or later.
Frequently asked questions
- What is CVE-2026-28207?
- Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.2, a command injection vulnerability (CWE-78) in the Zen C compiler allows local attackers to execute arbitrary shell commands by providing a specially crafted output filename via the `-o` command-line argument. The vulnerability existed in the `main` application logic (specifically in `src/main.c`), where the compiler constructed a shell command string to invoke the backend C compiler. This command string was built by concatenating various arguments, including the user-controlled output filename, and was subsequently executed using the `system()` function. Because `system()` invokes a shell to parse and execute the command, shell metacharacters within the output filename were interpreted by the shell, leading to arbitrary command execution. An attacker who can influence the command-line arguments passed to the `zc` compiler (like through a build script or a CI/CD pipeline configuration) can execute arbitrary commands with the privileges of the user running the compiler. The vulnerability has been fixed in version 0.4.2 by removing `system()` calls, implementing `ArgList`, and internal argument handling. Users are advised to update to Zen C version v0.4.2 or later.
- How severe is CVE-2026-28207?
- CVE-2026-28207 has a CVSS 3.x base score of 6.6, rated medium severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity high, and availability low.
- Is CVE-2026-28207 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (56th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-28207?
- CVE-2026-28207 affects Zenc-lang Zen C. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-28207?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-28207 have an EU (EUVD) identifier?
- Yes. CVE-2026-28207 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-8908.
- When was CVE-2026-28207 published?
- CVE-2026-28207 was published on 2026-02-26 and last updated on 2026-06-17.
References
- https://github.com/z-libs/Zen-C/security/advisories/GHSA-9rff-x96h-76h2
- https://f0nduesav0yarde.github.io/blog/vulnerabilities/cve-2026-28207/
Affected products (1)
- cpe:2.3:a:zenc-lang:zen_c:*:*:*:*:*:*:*:*
More vulnerabilities in Zenc-lang Zen C
- CVE-2026-33491 — High (CVSS 7.8): Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.4, a…
All CVEs affecting Zenc-lang Zen C →
Other CWE-78 (OS Command Injection) vulnerabilities
- CVE-2026-56004 — Critical (CVSS 10.0): A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by…
- CVE-2026-56415 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is…
- CVE-2026-56413 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens…
- CVE-2026-49869 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in…
- CVE-2026-49261 — Critical (CVSS 10.0): MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through…
- CVE-2026-10520 — Critical (CVSS 10.0): An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a…