VYPR

Zentao

by Zentao

CVEs (14)

  • CVE-2022-4984HigNov 13, 2025
    risk 0.57cvss epss 0.00

    ZenTao Biz < 6.5, ZenTao Max < 3.0, ZenTao Open Source Edition < 16.5, and ZenTao Open Source Edition < 16.5.beta1 contain an SQL injection vulnerability in the login functionality. The application does not properly validate the account parameter on /zentao/user-login.html…

  • CVE-2025-13789MedNov 30, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability was found in ZenTao up to 21.7.6-8564. This affects the function makeRequest of the file module/ai/model.php. The manipulation of the argument Base results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and…

  • CVE-2026-2551MedFeb 16, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability was determined in ZenTao up to 21.7.8. Affected by this vulnerability is the function delete of the file editor/control.php of the component Backup Handler. This manipulation of the argument fileName causes path traversal. It is possible to initiate the attack…

  • CVE-2026-1884MedFeb 4, 2026
    risk 0.31cvss 4.7epss 0.00

    A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The…

  • CVE-2026-2552Feb 16, 2026
    risk 0.00cvss epss 0.00

    A vulnerability was identified in ZenTao up to 21.7.8. Affected by this issue is the function delete of the file editor/control.php of the component Committer. Such manipulation of the argument filePath leads to path traversal. Upgrading to version 21.7.9 can resolve this issue.…

  • CVE-2025-13787Nov 30, 2025
    risk 0.00cvss epss 0.00

    A flaw has been found in ZenTao up to 21.7.6-8564. The affected element is the function file::delete of the file module/file/control.php of the component File Handler. Executing manipulation of the argument fileID can lead to improper privilege management. It is possible to…

  • CVE-2024-24216Feb 8, 2024
    risk 0.00cvss epss 0.01

    Zentao v18.0 to v18.10 was discovered to contain a remote code execution (RCE) vulnerability via the checkConnection method of /app/zentao/module/repo/model.php.

  • CVE-2023-49394Jan 10, 2024
    risk 0.00cvss epss 0.00

    Zentao versions 4.1.3 and before has a URL redirect vulnerability, which prevents the system from functioning properly.

  • CVE-2023-46475Nov 2, 2023
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting vulnerability was discovered in ZenTao 18.3 where a user can create a project, and in the name field of the project, they can inject malicious JavaScript code.

  • CVE-2023-46376Oct 27, 2023
    risk 0.00cvss epss 0.00

    Zentao Biz version 8.7 and before is vulnerable to Information Disclosure.

  • CVE-2020-21268Jun 20, 2023
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in EasySoft ZenTao v.11.6.4 allows a remote attacker to execute arbitrary code via the lastComment parameter.

  • CVE-2020-22533Apr 4, 2023
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability found in Zentao allows a remote attacker to execute arbitrary code via the lang parameter

  • CVE-2022-47745Jan 19, 2023
    risk 0.00cvss epss 0.15

    ZenTao 16.4 to 18.0.beta1 is vulnerable to SQL injection. After logging in with any user, you can complete SQL injection by constructing a special request and sending it to function importNotice.

  • CVE-2022-37700Sep 19, 2022
    risk 0.00cvss epss 0.03

    Zentao Demo15 is vulnerable to Directory Traversal. The impact is: obtain sensitive information (remote). The component is: URL : view-source:https://demo15.zentao.pm/user-login.html/zentao/index.php?mode=getconfig.