Description
A vulnerability was identified in ZenTao up to 21.7.8. Affected by this issue is the function delete of the file editor/control.php of the component Committer. Such manipulation of the argument filePath leads to path traversal. Upgrading to version 21.7.9 can resolve this issue. The affected component should be upgraded.
Published: 2026-02-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Deletion via Path Traversal
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in ZenTao up to version 21.7.8, affecting the delete function in editor/control.php within the Committer component. By manipulating the filePath parameter, an attacker can traverse the filesystem hierarchy and delete arbitrary files. This flaw falls under CWE‑22 (Path Traversal), potentially compromising the confidentiality, integrity, and availability of files on the server.

Affected Systems

Affected instances are installations of ZenTao version 21.7.8 or earlier, including all hosts running that version of the software. The flaw is present in the ZenTao product itself, specifically its editor component used for code commits.

Risk and Exploitability

The CVSS base score of 5.1 indicates a medium severity vulnerability, and the EPSS score of less than 1 % suggests a low likelihood of exploitation at the present time. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to exploit the delete endpoint—likely authenticated only if the application enforces access control on the Committer component—allowing them to craft a filePath that points outside the intended directory to delete sensitive or system files.

Generated by OpenCVE AI on April 17, 2026 at 19:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ZenTao to version 21.7.9 or later to apply the vendor‑provided fix.
  • Review and tighten access controls on the delete endpoint to limit it to authorized users only.
  • Implement server‑side input validation that rejects relative path components before performing the delete operation.

Generated by OpenCVE AI on April 17, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zentao:zentao:*:*:*:*:*:*:*:*

Tue, 17 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Zentao
Zentao zentao
Vendors & Products Zentao
Zentao zentao

Mon, 16 Feb 2026 11:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in ZenTao up to 21.7.8. Affected by this issue is the function delete of the file editor/control.php of the component Committer. Such manipulation of the argument filePath leads to path traversal. Upgrading to version 21.7.9 can resolve this issue. The affected component should be upgraded.
Title ZenTao Editor control.php delete path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 5.2, 'vector': 'AV:A/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 5.5, 'vector': 'CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Zentao Zentao
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:08:48.186Z

Reserved: 2026-02-15T16:20:21.100Z

Link: CVE-2026-2552

cve-icon Vulnrichment

Updated: 2026-02-17T16:41:24.082Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-16T12:16:22.277

Modified: 2026-02-20T18:00:00.757

Link: CVE-2026-2552

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:15:26Z

Weaknesses