CVE Catalog

CVE-2026-27419

CriticalCVSS 9.9
Published: Updated: Translated: NVD NIST

Summary

The Zegen plugin in versions 1.1.9 and earlier allows a subscriber to upload arbitrary files to the server. This vulnerability can be exploited to upload malicious software without proper authorization.

Risk Assessment

An attacker with a subscriber role can upload an executable file, leading to server compromise, data theft, or further propagation of the attack within the organization's network.

Recommendation

Immediately update the Zegen plugin to the latest available version that fixes this vulnerability. Additionally, restrict subscriber file upload permissions to only allowed file types.

Original NVD description (English source)

Subscriber Arbitrary File Upload in Zegen <= 1.1.9 versions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS