At IceWhale, security is a top priority. This document outlines our security disclosure process, scope, and guidelines for reporting vulnerabilities.
We are committed to:
- Transparent and responsible disclosure.
- Prompt resolution of security issues.
- Public acknowledgment of contributors who help us improve.
In Scope:
- ZimaOS (Latest version Only)
- ZimaBoard hardware + firmware
- ZimaCube hardware + firmware
- Official IceWhale services
Out of Scope:
- Third-party services or software not developed by IceWhale.
- Physical attacks requiring device theft or tampering.
- Social engineering attacks (phishing, scams).
- Denial-of-service (DoS) attacks that do not reveal exploitable flaws.
- Exploit working on older version of browser.
If you discover a potential vulnerability:
- Please email us at security@icewhale.org or open a report via GitHub Security Advisories.
- Include:
- Steps to reproduce
- Impact assessment
- Affected version(s)
- Suggested fixes (if possible)
We aim to acknowledge reports within 10 business days and provide updates throughout the triage and fix process.
- We follow a 90-day disclosure timeline (aligned with industry standards).
- If a fix is released earlier, we may disclose sooner.
- Contributors will be acknowledged in our Hall of Fame and/or advisories.
| CVE ID | Title | Severity (CVSS 3.1) | Affected Versions | Status | Advisory Link | Researcher |
|---|---|---|---|---|---|---|
| CVE-2026-28789 | Arbitrary internal service access via /v1/sys/proxy when Cloudflare Tunnel is enabled on ZimaOS | 9.1 High | ZimaOS β€ v1.5.0 | Fixed | View Advisory | DrDark1999 |
| CVE-2026-28442 | ZimaOS v1.5.2-beta3 - Arbitrary Deletion of Internal System Files via API Path Manipulation | 8.6 High | ZimaOS β€ v1.5.3 | Fixed | View Advisory | Rushi9 |
| CVE-2026-28286 | ZimaOS v1.5.2-beta3 - Unauthorized Creation of Files/Folders in Restricted System Directories via API | 8.6 High | ZimaOS β€ v1.5.3 | Fixed | View Advisory | Rushi9 |
| CVE-2026-21891 | Authentication Bypass via System-Level Username | 9.4 High | ZimaOS β€ v1.5.2 | Fixed | View Advisory | captain-noob |
| CVE ID | Title | Severity (CVSS 3.1) | Affected Versions | Status | Advisory Link | Researcher |
|---|---|---|---|---|---|---|
| CVE-2025-58431 | Arbitrary File Read using localhost calls to File API Download | 5.3 Moderate | ZimaOS β€ v1.4.4 | Fixed | View Advisory | 0xvpr |
| CVE-2025-58432 | Privilege Escalation using localhost calls to File API Upload | 5.3 Moderate | ZimaOS β€ v1.4.4 | Fixed | View Advisory | 0xvpr |
| CVE ID | Title | Severity (CVSS 3.1) | Affected Versions | Status | Advisory Link | Researcher |
|---|---|---|---|---|---|---|
| CVE-2024-49359 | Directory Listing via Parameter Manipulation in ZimaOS | 7.5 High | ZimaOS β€ v1.2.4 | Fixed | View Advisory | DrDark1999 |
| CVE-2024-48931 | Arbitrary File Read via Parameter Manipulation in ZimaOS | 7.5 High | ZimaOS β€ 1.2.4 | Fixed | View Advisory | DrDark1999 |
| CVE-2024-49358 | Username Enumeration via API Responses in ZimaOS | 5.3 Moderate | ZimaOS β€ 1.2.4 | Fixed | View Advisory | DrDark1999 |
| CVE-2024-49357 | Unauthorized Sensitive Data Leak in ZimaOS (Installed Applications and System Information) | 7.5 Hight | ZimaOS β€ 1.2.4 | Fixed | View Advisory | DrDark1999 |
| CVE-2024-48932 | Unauthenticated API Discloses Usernames ZimaOS | 5.3 Moderate | ZimaOS β€ 1.2.4 | Fixed | View Advisory | DrDark1999 |
We thank the security researchers who responsibly disclosed vulnerabilities:
- Rushi9 - Multiple CVEs in ZimaOS
- captain-noob - Multiple CVEs in ZimaOS
- 0xvpr - Multiple CVEs in ZimaOS
- DrDark1999 - Multiple CVEs in ZimaOS
- π§ Email: security@icewhale.org
- π GitHub: IceWhale Security Advisories