Zoom Workplace for Windows - External Control of File Name or Path

Bulletin: ZSB-26005
CVEID: CVE-2026-30903
CVSS Severity: Critical
CVSS Score: 9.6
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Description:

External Control of File Name or Path in the Mail feature of Zoom Workplace for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via network access

Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download.

Affected Products:

Zoom Workplace for Windows before version 6.6.0
Zoom Workplace VDI Client for Windows before versions 6.4.17 and 6.5.15 and 6.6.10 in their respective branch

Source:

Reported by Zoom Offensive Security

Revision	Date	Description
1.0	03/10/2026	Initial publication.

Zoom Workplace for Windows - External Control of File Name or Path

Subscribe for updates