CVE-2026-2552 – This CVE describes a path traversal vulnerabili... (How to Fix)

Q: What is the severity of CVE-2026-2552?

CVE-2026-2552 has a CVSS score of 5.5 (MEDIUM). This CVE describes a path traversal vulnerability in ZenTao's Committer component that allows attackers to delete arbitrary files by manipulating the filePath parameter. It affects ZenTao versions up to 21.7.8. The vulnerability requires authenticated access but could lead to data loss or system disruption.

📋 TL;DR

This CVE describes a path traversal vulnerability in ZenTao's Committer component that allows attackers to delete arbitrary files by manipulating the filePath parameter. It affects ZenTao versions up to 21.7.8. The vulnerability requires authenticated access but could lead to data loss or system disruption.

💻 Affected Systems

Products:

ZenTao

Versions: up to 21.7.8

Operating Systems: All platforms running ZenTao

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Committer component specifically; requires authenticated access to exploit.

📦 What is this software?

Zentao by Zentao

View all CVEs affecting Zentao →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete critical system files, configuration files, or application data, potentially causing system crashes, data loss, or service disruption.

🟠

Likely Case

Authenticated users could delete application files, configuration files, or user data within the web application directory, leading to application malfunction or data loss.

🟢

If Mitigated

With proper access controls and input validation, impact is limited to authorized users deleting files within their permitted scope.

🌐 Internet-Facing: MEDIUM - Internet-facing instances are vulnerable if attackers gain authenticated access, but exploitation requires authentication.

🏢 Internal Only: MEDIUM - Internal instances are vulnerable to authenticated insider threats or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access; path traversal via filePath parameter manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 21.7.9

Vendor Advisory: https://github.com/ez-lbz/ez-lbz.github.io/issues/11

Restart Required: Yes

Instructions:

1. Backup your ZenTao installation and database. 2. Download ZenTao 21.7.9 or later from official sources. 3. Replace affected files or perform full upgrade. 4. Restart web server and ZenTao services. 5. Verify functionality.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Add server-side validation to sanitize filePath parameter and restrict to allowed directories

Modify editor/control.php to validate filePath against whitelist

Access Restriction

all

Restrict access to Committer component to trusted users only

Configure web server ACLs or application permissions

🧯 If You Can't Patch

Implement strict access controls to limit who can access the Committer component
Deploy WAF rules to detect and block path traversal attempts in filePath parameter

🔍 How to Verify

Check if Vulnerable:

Check ZenTao version; if version is 21.7.8 or earlier, system is vulnerable. Review editor/control.php for proper input validation.

Check Version:

Check ZenTao admin panel or config files for version information

Verify Fix Applied:

After upgrading to 21.7.9+, verify version and test file deletion functionality with malicious filePath inputs.

📡 Detection & Monitoring

Log Indicators:

Unusual file deletion attempts in application logs
Requests to editor/control.php with suspicious filePath parameters

Network Indicators:

HTTP requests containing path traversal sequences (../) in filePath parameter

SIEM Query:

web_access_logs WHERE url CONTAINS 'editor/control.php' AND (params CONTAINS '../' OR params CONTAINS '..\\')

📊 Metadata

CVE ID: CVE-2026-2552

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-22

Published: February 16, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/ez-lbz/ez-lbz.github.io/issues/11 Exploit,Issue Tracking
https://github.com/ez-lbz/ez-lbz.github.io/issues/11#issuecomment-3876278793 Exploit,Issue Tracking
https://vuldb.com/?ctiid.346161 Permissions Required,VDB Entry
https://vuldb.com/?id.346161 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.749985 Third Party Advisory,VDB Entry
https://github.com/ez-lbz/ez-lbz.github.io/issues/11 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2552, you might also want to check these: