CVE-2026-2552 is a path traversal vulnerability found in the ZenTao project management software, affecting versions 21.7.0 through 21.7.8. The vulnerability resides in the delete function within the file editor/control.php file of the Committer component. By manipulating the filePath parameter, an authenticated user with low privileges can traverse directories and potentially delete or access files outside the intended scope. This can lead to unauthorized modification or removal of critical files, compromising system integrity and availability. The vulnerability does not require user interaction but does require some level of authentication with low privileges, making exploitation feasible in environments where users have access to ZenTao's file editor features. The CVSS 4.0 vector indicates a medium severity with a base score of 5.1, reflecting limited scope and impact but notable risk. No public exploits have been reported yet, but the vulnerability's nature makes it a concern for organizations relying on ZenTao for project management and software development workflows. The vendor has addressed the issue in version 21.7.9, and upgrading is the recommended remediation.

The primary impact of this vulnerability is unauthorized file access and deletion, which can compromise the integrity and availability of the affected system. Attackers with low-level authenticated access can manipulate file paths to delete or access sensitive files outside the intended directories, potentially disrupting project management operations or exposing confidential data. This can lead to operational downtime, loss of critical project data, and increased risk of further exploitation if system files or configurations are altered. While confidentiality impact is limited due to required authentication, the integrity and availability impacts are significant. Organizations using affected ZenTao versions in production environments face risks of service disruption and data loss, which can affect development cycles and business continuity.

Organizations should immediately upgrade ZenTao installations to version 21.7.9 or later, where this vulnerability is patched. Until upgrading is possible, restrict access to the file editor and Committer components to trusted users only, minimizing the number of authenticated users with low privileges who can access these features. Implement strict access controls and monitoring on the ZenTao environment to detect unusual file deletion or access patterns. Conduct regular backups of project data and configuration files to enable recovery in case of malicious file deletions. Additionally, review and harden authentication mechanisms to prevent unauthorized access. Employ network segmentation to isolate ZenTao servers from broader enterprise networks to limit lateral movement if exploitation occurs. Finally, maintain vigilance for any emerging exploit reports and apply security patches promptly.