Cyber Resilience

CVE-2026-28207

MediumPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 6.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
EPSS Score 0.0001 3.4th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28207 is a medium-severity OS Command Injection (CWE-78) vulnerability in Zenc-Lang Zen C. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 3.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28207 is a command injection vulnerability (CWE-78) affecting the Zen C compiler, a systems programming language that compiles to human-readable GNU C/C11, in versions prior to 0.4.2. The issue resides in the main application logic within src/main.c, where the compiler constructs a shell command string by concatenating various arguments, including the user-controlled output filename provided via the -o command-line argument. This string is then executed using the system() function, which invokes a shell that interprets shell metacharacters in the filename, enabling arbitrary command execution.

Local attackers can exploit this vulnerability by influencing the command-line arguments passed to the zc compiler, such as through a build script or CI/CD pipeline configuration. No privileges are required (PR:N), though it demands local access (AV:L) and user interaction (UI:R) to run the compiler with a malicious -o argument. Successful exploitation allows execution of arbitrary shell commands with the privileges of the user running the compiler, resulting in low confidentiality and availability impacts but high integrity impact, as reflected in the CVSS v3.1 base score of 6.6 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L).

The vulnerability has been addressed in Zen C version 0.4.2 by eliminating system() calls, introducing ArgList for argument management, and handling arguments internally to prevent shell interpretation. Security advisories, including the GitHub Security Advisory at GHSA-9rff-x96h-76h2, recommend updating to version 0.4.2 or later to mitigate the issue.

EU & UK References

Vulnerability details

Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.2, a command injection vulnerability (CWE-78) in the Zen C compiler allows local attackers to execute arbitrary shell commands by providing a specially crafted…

more

output filename via the `-o` command-line argument. The vulnerability existed in the `main` application logic (specifically in `src/main.c`), where the compiler constructed a shell command string to invoke the backend C compiler. This command string was built by concatenating various arguments, including the user-controlled output filename, and was subsequently executed using the `system()` function. Because `system()` invokes a shell to parse and execute the command, shell metacharacters within the output filename were interpreted by the shell, leading to arbitrary command execution. An attacker who can influence the command-line arguments passed to the `zc` compiler (like through a build script or a CI/CD pipeline configuration) can execute arbitrary commands with the privileges of the user running the compiler. The vulnerability has been fixed in version 0.4.2 by removing `system()` calls, implementing `ArgList`, and internal argument handling. Users are advised to update to Zen C version v0.4.2 or later.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Command injection via malicious -o argument directly invokes system() to execute arbitrary Unix shell commands; the vulnerable compiler is abused as a trusted utility for indirect command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33491Same product: Zenc-Lang Zen C
CVE-2026-32010Shared CWE-78
CVE-2026-27566Shared CWE-78
CVE-2026-44724Shared CWE-78
CVE-2026-22227Shared CWE-78
CVE-2024-40891Shared CWE-78
CVE-2026-26280Shared CWE-78
CVE-2024-57019Shared CWE-78
CVE-2026-45152Shared CWE-78
CVE-2025-53949Shared CWE-78

Affected Assets

zenc-lang
zen c
≤ 0.4.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted command-line input (the -o filename) before it is concatenated into a shell command, blocking the CWE-78 injection.

prevent

Mandates prompt application of the vendor patch (v0.4.2) that removes the system() call and replaces it with safe ArgList handling.

prevent

Requires replacement or isolation of the unsupported/vulnerable compiler version so that the flawed main.c logic cannot be executed in production builds.

References