Executive Summary

CVE-2026-2552 is a path traversal vulnerability in the ZenTao Editor component, specifically in the delete() function of the editor/control.php file. This vulnerability allows an authenticated user to manipulate the filePath argument, which is Base64-encoded, to delete arbitrary files on the server filesystem.

The vulnerability arises because the application decodes the filePath parameter without validating the resulting path. It then directly checks if the file exists and deletes it without restricting the file location or verifying permissions beyond filesystem-level checks.

An attacker can exploit this by encoding the target file path in Base64 and sending it as a parameter to the delete function, causing the server to delete files outside the intended directories.

The root cause is the lack of path validation and restrictions, allowing deletion of critical system or application files.

Upgrading to ZenTao version 21.7.9, which includes strict path validation and directory restrictions, resolves this issue.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated attacker to delete arbitrary files on the server where ZenTao is installed.

The impact includes potential denial of service by deleting critical files, disruption of application functionality, and possible further exploitation if important system or application files are removed.

Because the attacker can delete any file the application has permission to access, this can compromise the integrity and availability of the system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious HTTP requests targeting the vulnerable ZenTao Editor component, specifically requests to the delete function in editor/control.php.'}, {'type': 'paragraph', 'content': 'Look for GET requests to the endpoint `/zentao/index.php?m=editor&f=delete&filePath=<Base64-encoded-path>` where the filePath parameter is Base64-encoded and may represent paths outside the intended directory.'}, {'type': 'paragraph', 'content': 'An example detection approach is to search web server logs for requests matching the pattern:'}, {'type': 'list_item', 'content': 'GET /zentao/index.php?m=editor&f=delete&filePath='}, {'type': 'paragraph', 'content': 'You can use command-line tools like grep to find such requests in your logs. For example:'}, {'type': 'list_item', 'content': "grep 'm=editor&f=delete&filePath=' /var/log/apache2/access.log"}, {'type': 'paragraph', 'content': 'Additionally, since the filePath parameter is Base64-encoded, decoding suspicious filePath values found in logs can help identify attempts to delete critical or unexpected files.'}, {'type': 'paragraph', 'content': 'Note that exploitation requires authentication, so monitoring for unusual authenticated requests to this endpoint is also recommended.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the affected ZenTao installation to version 21.7.9 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, restrict access to the vulnerable editor/delete endpoint to trusted users only, and monitor for suspicious activity.

Implement strict validation on the filePath parameter to ensure it does not allow path traversal, such as verifying the resolved path is within allowed directories before allowing deletion.

Disable the editor feature if it is not required, by not enabling it via the POST request to `/zentao/index.php?m=editor&f=turnon&status=1`.

Useful 0 Not Useful 0