VYPR
Vendor

Icewhaletech

Products
2
CVEs
16
Across products
16
Status
Private

Products

2

Recent CVEs

16
  • CVE-2026-28798CriApr 3, 2026
    risk 0.52cvss 9.0epss 0.00

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests…

  • CVE-2024-49357Oct 24, 2024
    risk 0.06cvss epss 0.21

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http:///v1/users/image?path=/var/lib/casaos/1/app_order.json` and…

  • CVE-2026-21891Jan 8, 2026
    risk 0.01cvss epss 0.02

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided…

  • CVE-2026-28442Mar 5, 2026
    risk 0.00cvss epss 0.00

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these…

  • CVE-2025-64427Mar 2, 2026
    risk 0.00cvss epss 0.00

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g.,…

  • CVE-2026-28286Mar 2, 2026
    risk 0.00cvss epss 0.00

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting…

  • CVE-2025-58432Sep 17, 2025
    risk 0.00cvss epss 0.00

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and all prior versions, the /v2_1/files/file/uploadV2 endpoint allows file upload from ANY USER who has access to localhost. File uploads are performed AS ROOT.

  • CVE-2025-58431Sep 17, 2025
    risk 0.00cvss epss 0.00

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and earlier, the /v2_1/files/file/download endpoint allows file read from ANY USER who has access to localhost. File reads are performed AS ROOT.

  • CVE-2024-49359Oct 24, 2024
    risk 0.00cvss epss 0.01

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http://<Zima_Server_IP:PORT>/v2_1/file` in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users…

  • CVE-2024-49358Oct 24, 2024
    risk 0.00cvss epss 0.00

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http:///v1/users/login` in ZimaOS returns distinct responses based on whether a username exists or the password is…

  • CVE-2024-48932Oct 24, 2024
    risk 0.00cvss epss 0.01

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint `http:///v1/users/name` allows unauthenticated users to access sensitive information, such as usernames, without any authorization.…

  • CVE-2024-48931Oct 24, 2024
    risk 0.00cvss epss 0.01

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint `http://<Zima_Server_IP:PORT>/v3/file?token=&files=<file_path>` is vulnerable to arbitrary file reading due to…

  • CVE-2024-28232Apr 1, 2024
    risk 0.00cvss epss 0.01

    Go package IceWhaleTech/CasaOS-UserService provides user management functionalities to CasaOS. The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in version 0.4.7. This issue in CVE-2024-28232 has been patched in…

  • CVE-2024-24766Mar 6, 2024
    risk 0.00cvss epss 0.01

    CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the…

  • CVE-2024-24767Mar 6, 2024
    risk 0.00cvss epss 0.01

    CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the…

  • CVE-2024-24765Mar 6, 2024
    risk 0.00cvss epss 0.01

    CasaOS-UserService provides user management functionalities to CasaOS. Prior to version 0.4.7, path filtering of the URL for user avatar image files was not strict, making it possible to get any file on the system. This could allow an unauthorized actor to access, for example,…