CVE-2026-2552 is a path traversal vulnerability identified in the ZenTao project management software, specifically in the delete function of the editor/control.php file within the Committer component. This vulnerability arises from improper validation of the filePath parameter, which an authenticated user with low privileges can manipulate to traverse directories and potentially delete or access files outside the intended scope. The vulnerability affects all ZenTao versions from 21.7.0 through 21.7.8. The attack vector is adjacent network (AV:A), requiring low attack complexity (AC:L), no user interaction (UI:N), and privileges at the low level (PR:L). The impact affects confidentiality, integrity, and availability to a low degree, as indicated by the CVSS 5.1 score. The vulnerability does not require special authentication tokens or user interaction, making it easier to exploit once credentials are obtained. No known exploits have been reported in the wild yet. The issue is resolved by upgrading to ZenTao version 21.7.9, which includes proper input validation and sanitization to prevent path traversal. The vulnerability could allow attackers to delete critical files or access sensitive data, potentially disrupting project management workflows or exposing confidential information.

For European organizations, this vulnerability could lead to unauthorized deletion or access of files on servers running vulnerable ZenTao versions, impacting project management data integrity and availability. Confidential project details, source code, or configuration files could be exposed or tampered with, potentially causing operational disruptions and intellectual property loss. Organizations relying heavily on ZenTao for software development lifecycle management may face increased risk of insider threats or credential compromise leading to exploitation. The medium severity rating reflects moderate impact potential, but the ease of exploitation with low privileges and no user interaction increases risk. Disruptions could affect compliance with data protection regulations such as GDPR if sensitive personal data is involved. Recovery efforts may require restoring files from backups and conducting forensic investigations, increasing operational costs.

European organizations should immediately upgrade all ZenTao instances to version 21.7.9 or later to remediate the vulnerability. In addition to patching, implement strict access controls to limit user privileges to the minimum necessary, reducing the risk of exploitation by low-privilege users. Monitor logs for unusual file deletion or access patterns within the Committer component. Employ network segmentation to restrict access to ZenTao servers and enforce multi-factor authentication to reduce the risk of credential compromise. Conduct regular security audits and vulnerability scans focusing on web application input validation. Backup critical project data frequently and verify backup integrity to enable rapid recovery. Educate developers and administrators about secure coding and configuration practices to prevent similar issues. Consider deploying web application firewalls (WAFs) with custom rules to detect and block path traversal attempts until patches are applied.