Browse all 4 CVE security advisories affecting project-zot. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Project-zot serves as a collaborative workflow management platform for distributed teams, enabling task tracking and resource allocation. Historically, it has been susceptible to multiple remote code execution vulnerabilities, cross-site scripting flaws, and privilege escalation issues, with four CVEs documented to date. The platform's REST API and file upload functionality have been recurring sources of exploitation. While no major public security incidents have been reported, the consistent pattern of vulnerabilities in input validation and access controls suggests potential for compromise if proper hardening measures are not implemented.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-31801 | zot create-only policy allows overwrite attempts of existing latest tag (update permission not required) — zotCWE-863 | 7.7 | High | 2026-03-10 |
| CVE-2025-48374 | zot logs secrets — zotCWE-532 | 6.5AI | MediumAI | 2025-05-22 |
| CVE-2025-23208 | IdP group membership revocation ignored in zot — zotCWE-269 | 7.3 | High | 2025-01-17 |
| CVE-2024-39897 | Cache driver GetBlob() allows read access to any blob without access control check — zotCWE-639 | 4.3 | Medium | 2024-07-09 |
This page lists every published CVE security advisory associated with project-zot. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.