What is the severity of CVE-2026-21891?

CVE-2026-21891 has a CVSS v3 score of 9.8, which is classified as Critical severity.

Is there an exploit available for CVE-2026-21891?

No known public exploits are currently available for CVE-2026-21891.

Is there a patch available for CVE-2026-21891?

Yes, patches are available for CVE-2026-21891. Check the vendor advisories for update instructions.

CVE-2026-21891 - CVE Details, Severity, and Analysis

CVE-2026-21891 - CVE Details, Severity, and Analysis | Strobes VI

Severity Scores

CVSS v39.8

CVSS v20.0

Priority Score588.0

EPSS Score0.0

Critical

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

9.8

CVSS

Exploit

Yes

Patch

Medium Priority

critical severity

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions up to and including 1.5.0, the application checks the validity of the username but appears to skip, misinterpret, or incorrectly validate the password when the provided username matches a known system service account. The application's login function fails to properly handle the password validation result for these users, effectively granting authenticated access to anyone who knows one of these common usernames and provides any password. As of time of publication, no known patched versions are available.

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Network

User Interaction:Network

Scope:Unchanged

Confidentiality:High

Integrity:High

Availability:High

Patch References

Security [email protected]

Trend Analysis

Neutral

Vulnerable Products

Vendor	Product
Zimaspace	Zimaos