CVE-2026-28207

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-28207
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28207.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-28207
Aliases
  • GHSA-9rff-x96h-76h2
Published
2026-02-26T22:17:58.898Z
Modified
2026-03-03T02:35:52.007312Z
Severity
  • 6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L CVSS Calculator
Summary
Zen-C Vulnerable to Command Injection via Malicious Output Filename
Details

Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.2, a command injection vulnerability (CWE-78) in the Zen C compiler allows local attackers to execute arbitrary shell commands by providing a specially crafted output filename via the -o command-line argument. The vulnerability existed in the main application logic (specifically in src/main.c), where the compiler constructed a shell command string to invoke the backend C compiler. This command string was built by concatenating various arguments, including the user-controlled output filename, and was subsequently executed using the system() function. Because system() invokes a shell to parse and execute the command, shell metacharacters within the output filename were interpreted by the shell, leading to arbitrary command execution. An attacker who can influence the command-line arguments passed to the zc compiler (like through a build script or a CI/CD pipeline configuration) can execute arbitrary commands with the privileges of the user running the compiler. The vulnerability has been fixed in version 0.4.2 by removing system() calls, implementing ArgList, and internal argument handling. Users are advised to update to Zen C version v0.4.2 or later.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28207.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-78"
    ]
}
References

Affected packages

Git / github.com/z-libs/zen-c

Affected ranges

Type
GIT
Repo
https://github.com/z-libs/zen-c
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
c1df785b1ea54adcf708d2042e3e0fd4fb040c72
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.4.2"
        }
    ]
}

Affected versions

v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.3b
v0.4.0
v0.4.1

Database specific

vanir_signatures 
[
    {
        "id": "CVE-2026-28207-085b0d5b",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/z-libs/zen-c/commit/c1df785b1ea54adcf708d2042e3e0fd4fb040c72",
        "target": {
            "function": "append_flag",
            "file": "src/utils/utils.c"
        },
        "digest": {
            "length": 450.0,
            "function_hash": "164256239185075240568561019359904808749"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2026-28207-27415ed7",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/z-libs/zen-c/commit/c1df785b1ea54adcf708d2042e3e0fd4fb040c72",
        "target": {
            "file": "src/utils/utils.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "210486847404891485813985369261981937043",
                "338339559167501023553435010894147950400",
                "133187740796836868651151798571787704807",
                "38363175186971743842214755952706812660",
                "83353140357752037811994727453360386247",
                "178116925235517776333545685274678366148",
                "155459041995157441438321638012863875204",
                "226110098132944321175992726741686344285",
                "270098804721409981232319573980078139131",
                "165818339474943809859179755836249750704",
                "39931951727743158830073691180042331950",
                "286286395890427526009641112324959316516",
                "2406982415658976660695303784391475666",
                "125465847164343868781049395156395045338"
            ]
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2026-28207-5c080ffb",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/z-libs/zen-c/commit/c1df785b1ea54adcf708d2042e3e0fd4fb040c72",
        "target": {
            "file": "src/platform/os.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "147641864243683370545008518174537068964",
                "338583263203800826043892611291898332441",
                "182168083918796440154179085637520197098",
                "299260355907464380350883809772250729345",
                "80212338890710775253152697368876772979"
            ]
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2026-28207-6e39c65b",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/z-libs/zen-c/commit/c1df785b1ea54adcf708d2042e3e0fd4fb040c72",
        "target": {
            "file": "src/utils/cmd.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "289825738374011849444658713162085877326",
                "131108095203041054853903054957010546708",
                "81696547767185348667058462967379031940",
                "266570480456891223275113790329757698831",
                "17863284903313974494892386305731561641",
                "327201648658400165598386247028030625290",
                "133095750243751401822132439167654965766",
                "208095674323553166371738045558035179164",
                "312788143264537339357167065636246566393",
                "298990003679410523080074119330400929506",
                "173797724245551577159261365553761464756",
                "45444270494943178039018635488634867529",
                "94465704005789244268132554292615108891",
                "89561559180127885194972014286718613363",
                "96404089044732439164549243396195622181",
                "126687842121165700099299698399162884530",
                "165800682948763114108260931946637783254",
                "57042093942614029962402487926248131547",
                "282678241434385282574978335281990092657",
                "188802818994482832057187469732561547204",
                "78312389516050710397980180852795260805",
                "12222942727751313626054413840153444286",
                "111158172828090592603504192539868913881",
                "42165076018488803675708565803260587912",
                "333751885531228481089052402682504538239",
                "100800813109898680957895106460424283921",
                "300595580437487425708354259944545685108",
                "297299255336913637019511962521166486586",
                "306046568507594552886285085848979164549",
                "104207172702668082059330365722353706218",
                "193300448053917585406540772901970168809",
                "152478203541011076623027892461652947385",
                "100240813186927197401790765779746454703",
                "338856792045717497892066487039583317646",
                "285396637378859577765916401812591299410",
                "304377840462691684284630857731360279719",
                "232166808128735699121673678023555044916",
                "279330346091735570621262020330438468646",
                "59934418347126403564139046829499909626",
                "311389711490799639324689480562889475649",
                "30043271576456484621270041629928569244",
                "327100287344987904882850703082281064881",
                "339538644226299206345846031009498416491",
                "90396458423097168124413207107586406262",
                "206240074706189176169135163870843152918",
                "26685638087884948340603956122195603726",
                "198957204492685181505156943167709953783",
                "325638832863271337645446656882427135046",
                "144513399902157404428577397645097305250",
                "992267699206929806828375100964364634",
                "333074141710635353878506192750459148821",
                "328053189891645003236817220405455412901",
                "155123535713059676246693705075194650923",
                "48534155377302825184462800799669957565",
                "107138971565205090677621414351950140787",
                "108230861752477507057485478903452258290",
                "278695029036106253569436335043152353222",
                "205987925747896893630059659638171387331",
                "120163119345528632736655878440045567712",
                "105214465278364643958312536605400918381",
                "168513270945307475277534684841211792663",
                "256686237348893025681227547866601003173",
                "18902910696752687662831871682822562403",
                "299265521029152573622190323751938175835",
                "76635621130480758862150382108531674229",
                "115435724391676904376369539965947354493",
                "229791957241485227244204362390019847981",
                "67716612555748285144579680878717894095",
                "255273353428939716357957633067453091736",
                "322022627879780038222819161566560347592",
                "313463292238782113232485604721399995008",
                "235416543747216460336250319857393304075",
                "103954996061516370408421138514915626714"
            ]
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2026-28207-71baf512",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/z-libs/zen-c/commit/c1df785b1ea54adcf708d2042e3e0fd4fb040c72",
        "target": {
            "file": "src/utils/cmd.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "261136698736333065348610710556837092301",
                "47510105537095993950298715288403698850",
                "291072657760523438205364737748254087121",
                "323106304060782883718748982280076527433",
                "339448896335998476539907903327416576646",
                "173166102490599606438973723706737483648"
            ]
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2026-28207-8e985b33",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/z-libs/zen-c/commit/c1df785b1ea54adcf708d2042e3e0fd4fb040c72",
        "target": {
            "file": "src/platform/os.h"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "298927655213857740648354889735081364369"
            ]
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2026-28207-c8401512",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/z-libs/zen-c/commit/c1df785b1ea54adcf708d2042e3e0fd4fb040c72",
        "target": {
            "file": "src/main.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "228208025486847637798989130772150968983",
                "88080715703095496857364591525019132212",
                "54734155202604227737127308331235123649",
                "176742791701748911724172723229045446189",
                "263775971383194596441103496152242440079",
                "134179650952266009477753190033442452093",
                "66770754058428561393259532664190411548",
                "186981079428304796485675651452563142673",
                "68007995308427849915879705600715029485",
                "192497055888521642003667491740316484314",
                "168621725917510940029694768638138174564",
                "182879837086102675738174397215627841041",
                "266734682905378850114083851490796125368",
                "267232250219464145859939535729350938687",
                "158476283953004660755503875856210804438",
                "172660341607723301861861934800696346629",
                "40528234946074178428002980283484223299",
                "196035320195833821821805154078207954900",
                "181384335525864390337391405063599219875",
                "287829961270719857761600205510821465644",
                "304212566985667732966763352813176666660",
                "203111113992643431459050022882316701346",
                "746213721740503806832622921575087601",
                "319429065663418796362030098844921037412",
                "123660739351929496043893935272885003112",
                "113113613642911445695065498409970325750",
                "103363489392222454737209300530999082344",
                "256138270512955185205381747759281446132",
                "284426924145881833606108852960210537959",
                "109494021609594348162400858782842998147",
                "298205781947910593173669515662913932187",
                "215160640083879694260041854233920468735",
                "136396704430739722209607351247455825463",
                "103507777515728420589415435108220491865",
                "251701688423286165608361250122093898106",
                "8838208551964747690131368871204062649",
                "94041000234197704108837832480042041118",
                "119602421613150970031607930155078058210",
                "44602578246854809761020383895132159552",
                "72106558978079045018311694721952569382",
                "264320398979061719355483608366288970579",
                "252778908482456900062533503294823233501",
                "46464940831664138700327971339815204222",
                "59139410507507835436633186380158348276",
                "141211995814418558401075372930399003142",
                "260607297116002713510062107199417850143",
                "288148899607426065149260701683057438027",
                "181027510602070418546337253525941203984",
                "23922061340056954426587829154457926612",
                "290872818870128456059611665984951892060",
                "95801729808263452566338629695256212367",
                "274739700493196150403923006254229721836",
                "128208174305437974125941348736497357481",
                "47290523061368720474535262552164485615",
                "217409871573985498982577169820989774896",
                "180500649468206703388047240228371503272",
                "150092532425026061565440602884941845908",
                "335710378226915929540473665414396557464",
                "281385979235218812132287407232502363023",
                "291674082224957674140880115211078590032",
                "179382720714897026346239145716493235697",
                "137293265325758223978176694415709968613",
                "8655396243955796208332436852778094589",
                "55947226721570354321961653035417231449",
                "331921536187808216043585464284695275194",
                "333716635073778296843543441249263463384",
                "194552067227881761500034157677318101612",
                "40034595545669045044068215282594696253",
                "189687565977034813483764919590928450518",
                "290885365788895372028455549763320818735",
                "309616620025444134385860410208238771965",
                "38287943103594382986839817654418984349",
                "173961777794068472523522300274847245444",
                "140284472246137786175863275246754568367",
                "221469758216475361005981921822909720840",
                "165254103912466402899955085054035689170",
                "138686348152469844356421264936103371858",
                "39945052448182410657709830597501813430",
                "222826261246389699181154546845708199474",
                "62608825879745630100135502524860900363",
                "8744334200981672753240173773156788072",
                "24134445419137679978659972590939571163",
                "313520953309350932826130758857401282438",
                "4819167927601021139774638496397609101",
                "209716559510430504613015914425402744164",
                "309221128076720460500541151749443926682",
                "237945149331157482558561673761042464505",
                "23324836749788710279549088821100983347",
                "286421301199800225766838237793343459676",
                "218647206335638993006158240440251594244",
                "208085952580311611473266064794881067033",
                "84516623677361333013432976085378878981",
                "50196623471348251004282020099775112467",
                "181154646755934497078696277151321896892",
                "33746715743246700998472604806396033497",
                "143701549990056824114371968328968557269",
                "228990827476222037842248650311677030783",
                "36052729232850059063216426684940578198",
                "179848434194879881971410843963329778918",
                "302602757801317454087800515645013265355",
                "24340402246635060412725095803971187109",
                "61003632897947850895184162521703217295",
                "338370690815579552561806118437727820792",
                "55481731503370329042222365831848274196",
                "190226042180773475590591297802899028742",
                "236533739926700173782212018659245432627",
                "256799970228882872928046923088697921650",
                "306104257013504542106971921433525881370",
                "170395556857500056845234241239405575047",
                "106232666197619632111873972258273646999",
                "315283905524920128696918024207052548140",
                "205731851914453313918177657481700880492",
                "287725122556184830918480687550242626094",
                "135677681612310808173858797420975989429",
                "45828199992243056019662643750462922170",
                "206918331825531655902979081552236759735",
                "319644872602550604985551949310166898900",
                "333074141710635353878506192750459148821",
                "135677681612310808173858797420975989429",
                "45828199992243056019662643750462922170",
                "326252458520103311462982201839472500224",
                "59638385214649151613659300759592137876",
                "219890669479251727506798599158278841706",
                "71635357930029823213466401452986929991",
                "140319500439008857717141984603273727174",
                "114256991387046874987571431294557196921",
                "271824746360999321733689559810487640002"
            ]
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2026-28207-f5d5709e",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/z-libs/zen-c/commit/c1df785b1ea54adcf708d2042e3e0fd4fb040c72",
        "target": {
            "function": "build_compile_command",
            "file": "src/utils/cmd.c"
        },
        "digest": {
            "length": 1761.0,
            "function_hash": "335654256571636874540694241445337616733"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2026-28207-fd89503d",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/z-libs/zen-c/commit/c1df785b1ea54adcf708d2042e3e0fd4fb040c72",
        "target": {
            "function": "main",
            "file": "src/main.c"
        },
        "digest": {
            "length": 12775.0,
            "function_hash": "177578023572437620667581499895912277333"
        },
        "signature_type": "Function"
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28207.json"