Description
Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.2, a command injection vulnerability (CWE-78) in the Zen C compiler allows local attackers to execute arbitrary shell commands by providing a specially crafted output filename via the `-o` command-line argument. The vulnerability existed in the `main` application logic (specifically in `src/main.c`), where the compiler constructed a shell command string to invoke the backend C compiler. This command string was built by concatenating various arguments, including the user-controlled output filename, and was subsequently executed using the `system()` function. Because `system()` invokes a shell to parse and execute the command, shell metacharacters within the output filename were interpreted by the shell, leading to arbitrary command execution. An attacker who can influence the command-line arguments passed to the `zc` compiler (like through a build script or a CI/CD pipeline configuration) can execute arbitrary commands with the privileges of the user running the compiler. The vulnerability has been fixed in version 0.4.2 by removing `system()` calls, implementing `ArgList`, and internal argument handling. Users are advised to update to Zen C version v0.4.2 or later.
Published: 2026-02-26
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection
Action: Patch
AI Analysis

Impact

The Zen C compiler contains a command injection flaw in its front end. When the -o output filename option is supplied, the compiler concatenates the filename into a shell command that is executed via system(). Because shell metacharacters in the filename are interpreted, an attacker who can influence the -o value can run arbitrary commands with the privileges of the compiler process. The vulnerability is classified as CWE‑78.

Affected Systems

Z‑libs Zen‑C versions earlier than 0.4.2 are affected. The flaw exists in the main application logic located in src/main.c of the project. Users who invoke the zc compiler directly from a local machine, or who run automated build scripts or CI/CD pipelines that supply the -o argument, may be impacted.

Risk and Exploitability

The CVSS score of 6.6 indicates a moderate severity. The EPSS score of less than 1% suggests that active exploitation is presently unlikely, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector is local because the attacker must supply a crafted value to the -o option when the compiler is run locally; remote exploitation is not supported by the information provided. The impact allows an attacker with local build‑system access to execute arbitrary commands, which could lead to full compromise of that environment and potentially privilege escalation if the compiler runs with elevated rights.

Generated by OpenCVE AI on April 17, 2026 at 14:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Zen C 0.4.2 or later, which removes the system() call and implements safer argument handling.
  • Audit and restrict build scripts, CI/CD pipelines, and any automated tools that invoke the compiler to ensure that no untrusted input is passed to the -o option.
  • If an upgrade is not immediately possible, implement input validation or sanitization for the -o argument, rejecting or escaping shell metacharacters.

Generated by OpenCVE AI on April 17, 2026 at 14:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Z-libs zen C
CPEs cpe:2.3:a:z-libs:zen_c:*:*:*:*:*:*:*:*
Vendors & Products Z-libs zen C

Mon, 02 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
References

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Z-libs
Z-libs zen-c
Vendors & Products Z-libs
Z-libs zen-c

Thu, 26 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Description Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.2, a command injection vulnerability (CWE-78) in the Zen C compiler allows local attackers to execute arbitrary shell commands by providing a specially crafted output filename via the `-o` command-line argument. The vulnerability existed in the `main` application logic (specifically in `src/main.c`), where the compiler constructed a shell command string to invoke the backend C compiler. This command string was built by concatenating various arguments, including the user-controlled output filename, and was subsequently executed using the `system()` function. Because `system()` invokes a shell to parse and execute the command, shell metacharacters within the output filename were interpreted by the shell, leading to arbitrary command execution. An attacker who can influence the command-line arguments passed to the `zc` compiler (like through a build script or a CI/CD pipeline configuration) can execute arbitrary commands with the privileges of the user running the compiler. The vulnerability has been fixed in version 0.4.2 by removing `system()` calls, implementing `ArgList`, and internal argument handling. Users are advised to update to Zen C version v0.4.2 or later.
Title Zen-C Vulnerable to Command Injection via Malicious Output Filename
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L'}

Subscriptions

Z-libs Zen-c Zen C
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T20:48:09.055Z

Reserved: 2026-02-25T15:28:40.648Z

Link: CVE-2026-28207

cve-icon Vulnrichment

Updated: 2026-02-27T16:57:44.054Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T23:16:35.277

Modified: 2026-03-03T00:48:26.487

Link: CVE-2026-28207

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses