VYPR
Vendor

Zimaspace

Products
1
CVEs
10
Across products
10
Status
Private

Products

1

Recent CVEs

10
  • CVE-2026-28798CriApr 3, 2026
    risk 0.52cvss 9.0epss 0.00

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. Prior to version 1.5.3, a proxy endpoint (/v1/sys/proxy) exposed by ZimaOS's web interface can be abused (via an externally reachable domain using a Cloudflare Tunnel) to make requests…

  • CVE-2024-49357Oct 24, 2024
    risk 0.06cvss epss 0.21

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http:///v1/users/image?path=/var/lib/casaos/1/app_order.json` and…

  • CVE-2026-21891Jan 8, 2026
    risk 0.01cvss epss 0.02

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided…

  • CVE-2026-28442Mar 5, 2026
    risk 0.00cvss epss 0.00

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these…

  • CVE-2025-64427Mar 2, 2026
    risk 0.00cvss epss 0.00

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g.,…

  • CVE-2026-28286Mar 2, 2026
    risk 0.00cvss epss 0.00

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting…

  • CVE-2025-58432Sep 17, 2025
    risk 0.00cvss epss 0.00

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and all prior versions, the /v2_1/files/file/uploadV2 endpoint allows file upload from ANY USER who has access to localhost. File uploads are performed AS ROOT.

  • CVE-2025-58431Sep 17, 2025
    risk 0.00cvss epss 0.00

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.4.1 and earlier, the /v2_1/files/file/download endpoint allows file read from ANY USER who has access to localhost. File reads are performed AS ROOT.

  • CVE-2024-49358Oct 24, 2024
    risk 0.00cvss epss 0.00

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http:///v1/users/login` in ZimaOS returns distinct responses based on whether a username exists or the password is…

  • CVE-2024-48932Oct 24, 2024
    risk 0.00cvss epss 0.01

    ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint `http:///v1/users/name` allows unauthenticated users to access sensitive information, such as usernames, without any authorization.…