CVE-2026-2551
Received Received - Intake
Path Traversal in ZenTao Backup Handler Enables Remote Exploit

Publication date: 2026-02-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in ZenTao up to 21.7.8. Affected by this vulnerability is the function delete of the file editor/control.php of the component Backup Handler. This manipulation of the argument fileName causes path traversal. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2551
EUVD
EUVD-2026-6094
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zentao zentao to 21.7.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2551 is a path traversal vulnerability in ZenTao versions up to 21.7.8, specifically in the delete function of the backup component located in backup/control.php. The vulnerability occurs because the fileName parameter is not properly sanitized, allowing an attacker to manipulate it to traverse directories outside the intended backup directory.

An authenticated attacker can exploit this flaw by supplying path traversal sequences (e.g., ../../../../../) to delete arbitrary files or directories on the server that the application has permission to remove.

The vulnerability allows remote exploitation and has been publicly disclosed, with proof-of-concept exploits available.

Impact Analysis

This vulnerability allows an authenticated attacker to delete any file or directory on the server that the application has permission to access.

The impact includes potential denial of service by deleting critical files, compromising system integrity and availability.

Such unauthorized file deletions can disrupt normal operations and may be leveraged for further exploitation or attacks.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for HTTP GET requests targeting the vulnerable delete function in ZenTao's backup module, specifically requests to the endpoint that includes the parameter fileName with path traversal sequences."}, {'type': 'paragraph', 'content': 'An example of a suspicious request is a GET request like: GET /zentao/index.php?m=backup&f=delete&fileName=../../../../../target'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or scanning, you can use network monitoring tools or web server logs to search for such patterns.'}, {'type': 'list_item', 'content': "Use grep on web server access logs to find suspicious requests: grep -E 'm=backup&f=delete&fileName=.*\\.\\./' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Use intrusion detection systems (IDS) or web application firewalls (WAF) to alert on path traversal patterns in URL parameters.'}] [2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the vulnerable delete function to trusted users only, as the vulnerability requires authentication.'}, {'type': 'paragraph', 'content': 'If possible, update ZenTao to a version that includes the fix which sanitizes the fileName parameter using basename(), validates paths with realpath(), and ensures deletion only occurs within the backup directory.'}, {'type': 'paragraph', 'content': 'If an update is not immediately available, consider applying the following temporary mitigations:'}, {'type': 'list_item', 'content': 'Restrict access to the backup deletion endpoint via network controls or web server configuration.'}, {'type': 'list_item', 'content': "Implement input validation or filtering at the web server or application firewall level to block requests containing path traversal sequences like '../' in the fileName parameter."}, {'type': 'list_item', 'content': 'Monitor logs for suspicious activity and respond promptly to any detected exploitation attempts.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2551. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart