Zentao
Products
1- 14 CVEs
Recent CVEs
14| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-4984 | Hig | 0.57 | — | 0.00 | Nov 13, 2025 | ZenTao Biz < 6.5, ZenTao Max < 3.0, ZenTao Open Source Edition < 16.5, and ZenTao Open Source Edition < 16.5.beta1 contain an SQL injection vulnerability in the login functionality. The application does not properly validate the account parameter on /zentao/user-login.html… | ||
| CVE-2025-13789 | Med | 0.41 | 6.3 | 0.00 | Nov 30, 2025 | A vulnerability was found in ZenTao up to 21.7.6-8564. This affects the function makeRequest of the file module/ai/model.php. The manipulation of the argument Base results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and… | ||
| CVE-2026-2551 | Med | 0.35 | 5.4 | 0.00 | Feb 16, 2026 | A vulnerability was determined in ZenTao up to 21.7.8. Affected by this vulnerability is the function delete of the file editor/control.php of the component Backup Handler. This manipulation of the argument fileName causes path traversal. It is possible to initiate the attack… | ||
| CVE-2026-1884 | Med | 0.31 | 4.7 | 0.00 | Feb 4, 2026 | A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The… | ||
| CVE-2026-2552 | 0.00 | — | 0.00 | Feb 16, 2026 | A vulnerability was identified in ZenTao up to 21.7.8. Affected by this issue is the function delete of the file editor/control.php of the component Committer. Such manipulation of the argument filePath leads to path traversal. Upgrading to version 21.7.9 can resolve this issue.… | |||
| CVE-2025-13787 | 0.00 | — | 0.00 | Nov 30, 2025 | A flaw has been found in ZenTao up to 21.7.6-8564. The affected element is the function file::delete of the file module/file/control.php of the component File Handler. Executing manipulation of the argument fileID can lead to improper privilege management. It is possible to… | |||
| CVE-2024-24216 | 0.00 | — | 0.01 | Feb 8, 2024 | Zentao v18.0 to v18.10 was discovered to contain a remote code execution (RCE) vulnerability via the checkConnection method of /app/zentao/module/repo/model.php. | |||
| CVE-2023-49394 | 0.00 | — | 0.00 | Jan 10, 2024 | Zentao versions 4.1.3 and before has a URL redirect vulnerability, which prevents the system from functioning properly. | |||
| CVE-2023-46475 | 0.00 | — | 0.00 | Nov 2, 2023 | A Stored Cross-Site Scripting vulnerability was discovered in ZenTao 18.3 where a user can create a project, and in the name field of the project, they can inject malicious JavaScript code. | |||
| CVE-2023-46376 | 0.00 | — | 0.00 | Oct 27, 2023 | Zentao Biz version 8.7 and before is vulnerable to Information Disclosure. | |||
| CVE-2020-21268 | 0.00 | — | 0.01 | Jun 20, 2023 | Cross Site Scripting vulnerability in EasySoft ZenTao v.11.6.4 allows a remote attacker to execute arbitrary code via the lastComment parameter. | |||
| CVE-2020-22533 | 0.00 | — | 0.01 | Apr 4, 2023 | Cross Site Scripting vulnerability found in Zentao allows a remote attacker to execute arbitrary code via the lang parameter | |||
| CVE-2022-47745 | 0.00 | — | 0.15 | Jan 19, 2023 | ZenTao 16.4 to 18.0.beta1 is vulnerable to SQL injection. After logging in with any user, you can complete SQL injection by constructing a special request and sending it to function importNotice. | |||
| CVE-2022-37700 | 0.00 | — | 0.03 | Sep 19, 2022 | Zentao Demo15 is vulnerable to Directory Traversal. The impact is: obtain sensitive information (remote). The component is: URL : view-source:https://demo15.zentao.pm/user-login.html/zentao/index.php?mode=getconfig. |
- risk 0.57cvss —epss 0.00
ZenTao Biz < 6.5, ZenTao Max < 3.0, ZenTao Open Source Edition < 16.5, and ZenTao Open Source Edition < 16.5.beta1 contain an SQL injection vulnerability in the login functionality. The application does not properly validate the account parameter on /zentao/user-login.html…
- risk 0.41cvss 6.3epss 0.00
A vulnerability was found in ZenTao up to 21.7.6-8564. This affects the function makeRequest of the file module/ai/model.php. The manipulation of the argument Base results in server-side request forgery. The attack can be launched remotely. The exploit has been made public and…
- risk 0.35cvss 5.4epss 0.00
A vulnerability was determined in ZenTao up to 21.7.8. Affected by this vulnerability is the function delete of the file editor/control.php of the component Backup Handler. This manipulation of the argument fileName causes path traversal. It is possible to initiate the attack…
- risk 0.31cvss 4.7epss 0.00
A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The…
- CVE-2026-2552Feb 16, 2026risk 0.00cvss —epss 0.00
A vulnerability was identified in ZenTao up to 21.7.8. Affected by this issue is the function delete of the file editor/control.php of the component Committer. Such manipulation of the argument filePath leads to path traversal. Upgrading to version 21.7.9 can resolve this issue.…
- CVE-2025-13787Nov 30, 2025risk 0.00cvss —epss 0.00
A flaw has been found in ZenTao up to 21.7.6-8564. The affected element is the function file::delete of the file module/file/control.php of the component File Handler. Executing manipulation of the argument fileID can lead to improper privilege management. It is possible to…
- CVE-2024-24216Feb 8, 2024risk 0.00cvss —epss 0.01
Zentao v18.0 to v18.10 was discovered to contain a remote code execution (RCE) vulnerability via the checkConnection method of /app/zentao/module/repo/model.php.
- CVE-2023-49394Jan 10, 2024risk 0.00cvss —epss 0.00
Zentao versions 4.1.3 and before has a URL redirect vulnerability, which prevents the system from functioning properly.
- CVE-2023-46475Nov 2, 2023risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting vulnerability was discovered in ZenTao 18.3 where a user can create a project, and in the name field of the project, they can inject malicious JavaScript code.
- CVE-2023-46376Oct 27, 2023risk 0.00cvss —epss 0.00
Zentao Biz version 8.7 and before is vulnerable to Information Disclosure.
- CVE-2020-21268Jun 20, 2023risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in EasySoft ZenTao v.11.6.4 allows a remote attacker to execute arbitrary code via the lastComment parameter.
- CVE-2020-22533Apr 4, 2023risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability found in Zentao allows a remote attacker to execute arbitrary code via the lang parameter
- CVE-2022-47745Jan 19, 2023risk 0.00cvss —epss 0.15
ZenTao 16.4 to 18.0.beta1 is vulnerable to SQL injection. After logging in with any user, you can complete SQL injection by constructing a special request and sending it to function importNotice.
- CVE-2022-37700Sep 19, 2022risk 0.00cvss —epss 0.03
Zentao Demo15 is vulnerable to Directory Traversal. The impact is: obtain sensitive information (remote). The component is: URL : view-source:https://demo15.zentao.pm/user-login.html/zentao/index.php?mode=getconfig.