ZenTaoPMS allows attackers to run malicious code

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.8

ZenTaoPMS allows attackers to run malicious code

CVE-2025-50857

Summary

The ZenTaoPMS project has a security issue that lets attackers execute arbitrary code. This means they can potentially do anything on the server, including accessing sensitive data or taking control of the system. Update to a fixed version to protect your server.

Original title

ZenTaoPMS v18.11 through v21.6.beta is vulnerable to Directory Traversal in /module/ai/control.php. This allows attackers to execute arbitrary code via a crafted file upload

Original description

ZenTaoPMS v18.11 through v21.6.beta is vulnerable to Directory Traversal in /module/ai/control.php. This allows attackers to execute arbitrary code via a crafted file upload

nvd CVSS3.1 9.8

Vulnerability type

CWE-22 Path Traversal

https://gist.github.com/sorzs/c67a3dcaa9adb49266d5ff52a04d904b
https://github.com/sorzs/test/blob/main/read_and_delete

Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026