cvedb.io
CVE-2026-28207
MEDIUM · CVSS 6.6
EPSS exploitation probability: 0%
Published 2026-02-26T23:16:35.277 · Last modified 2026-06-17T10:28:19.953

Summary

Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.2, a command injection vulnerability (CWE-78) in the Zen C compiler allows local attackers to execute arbitrary shell commands by providing a specially crafted output filename via the `-o` command-line argument. The vulnerability existed in the `main` application logic (specifically in `src/main.c`), where the compiler constructed a shell command string to invoke the backend C compiler. This command string was built by concatenating various arguments, including the user-controlled output filename, and was subsequently executed using the `system()` function. Because `system()` invokes a shell to parse and execute the command, shell metacharacters within the output filename were interprete

Affected products

zenc-lang — zen_c

Does this affect you?

Add your gear to cvedb and we'll alert you only when zenc-lang ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.