CVE-2026-2551
Path Traversal in ZenTao Backup Handler Enables Remote Exploit
Publication date: 2026-02-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zentao | zentao | to 21.7.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2551 is a path traversal vulnerability in ZenTao versions up to 21.7.8, specifically in the delete function of the backup component located in backup/control.php. The vulnerability occurs because the fileName parameter is not properly sanitized, allowing an attacker to manipulate it to traverse directories outside the intended backup directory.
An authenticated attacker can exploit this flaw by supplying path traversal sequences (e.g., ../../../../../) to delete arbitrary files or directories on the server that the application has permission to remove.
The vulnerability allows remote exploitation and has been publicly disclosed, with proof-of-concept exploits available.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to delete any file or directory on the server that the application has permission to access.
The impact includes potential denial of service by deleting critical files, compromising system integrity and availability.
Such unauthorized file deletions can disrupt normal operations and may be leveraged for further exploitation or attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for HTTP GET requests targeting the vulnerable delete function in ZenTao's backup module, specifically requests to the endpoint that includes the parameter fileName with path traversal sequences."}, {'type': 'paragraph', 'content': 'An example of a suspicious request is a GET request like: GET /zentao/index.php?m=backup&f=delete&fileName=../../../../../target'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or scanning, you can use network monitoring tools or web server logs to search for such patterns.'}, {'type': 'list_item', 'content': "Use grep on web server access logs to find suspicious requests: grep -E 'm=backup&f=delete&fileName=.*\\.\\./' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Use intrusion detection systems (IDS) or web application firewalls (WAF) to alert on path traversal patterns in URL parameters.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable delete function to trusted users only, as the vulnerability requires authentication.'}, {'type': 'paragraph', 'content': 'If possible, update ZenTao to a version that includes the fix which sanitizes the fileName parameter using basename(), validates paths with realpath(), and ensures deletion only occurs within the backup directory.'}, {'type': 'paragraph', 'content': 'If an update is not immediately available, consider applying the following temporary mitigations:'}, {'type': 'list_item', 'content': 'Restrict access to the backup deletion endpoint via network controls or web server configuration.'}, {'type': 'list_item', 'content': "Implement input validation or filtering at the web server or application firewall level to block requests containing path traversal sequences like '../' in the fileName parameter."}, {'type': 'list_item', 'content': 'Monitor logs for suspicious activity and respond promptly to any detected exploitation attempts.'}] [2]