What is CVE-2026-28207?

CVE-2026-28207 is a medium-severity vulnerability in Zenc-lang Zen_c, classified under OS Command Injection. CVSS score: 6.6/10. Published 2026-02-26.

How severe is CVE-2026-28207?

Medium severity. CVSS v3 base score is 6.6 out of 10.

RCE in Zenc-lang Zen_c

CVE-2026-28207

Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.2, a command injection vulnerability (CWE-78) in the Zen C compiler allows local attackers to execute arbitrary shell commands by provi…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.000 (3.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.6 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L.

Affected products

Zenc-lang Zen_c
Z-libs Zen-c — versions < 0.4.2

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

https://github.com/z-libs/Zen-C/security/advisories/GHSA-9rff-x96h-76h2 (x_refsource_CONFIRM, Exploit, Mitigation, Vendor Advisory)
af854a3a-2127-422b-91ae-364da2661108 (Exploit, Third Party Advisory)

Frequently asked questions

What is CVE-2026-28207?: CVE-2026-28207 is a medium-severity vulnerability in Zenc-lang Zen_c, classified under OS Command Injection. CVSS score: 6.6/10. Published 2026-02-26.
How severe is CVE-2026-28207?: Medium severity. CVSS v3 base score is 6.6 out of 10.