{"api_version":"1","generated_at":"2026-05-13T20:59:56+00:00","cve":"CVE-2026-30905","urls":{"html":"https://cve.report/CVE-2026-30905","api":"https://cve.report/api/cve/CVE-2026-30905.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-30905","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-30905"},"summary":{"title":"CVE-2026-30905","description":"External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 may allow an authenticated user to conduct an escalation of privilege via local access.","state":"PUBLISHED","assigner":"Zoom","published_at":"2026-05-13 19:17:05","updated_at":"2026-05-13 19:17:05"},"problem_types":["CWE-73","CWE-73 CWE-73 External control of file name or path"],"metrics":[{"version":"3.1","source":"security@zoom.us","type":"Secondary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://www.zoom.com/en/trust/security-bulletin/zsb-26007","name":"https://www.zoom.com/en/trust/security-bulletin/zsb-26007","refsource":"security@zoom.us","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-30905","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30905","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Zoom Communications","product":"Zoom Workplace VDI Plugin","version":"affected 6.6.11 custom","platforms":["Windows"]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-30905","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-05-13T18:54:30.275041Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-13T18:55:08.369Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["Windows"],"product":"Zoom Workplace VDI Plugin","vendor":"Zoom Communications","versions":[{"lessThan":"6.6.11","status":"affected","version":"0","versionType":"custom"}]}],"datePublic":"2026-05-12T12:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 may allow an authenticated user to conduct an escalation of privilege via local access."}],"value":"External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 may allow an authenticated user to conduct an escalation of privilege via local access."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-73","description":"CWE-73 External control of file name or path","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-13T18:00:22.649Z","orgId":"99b9af0d-a833-4a5d-9e2f-8b1324f35351","shortName":"Zoom"},"references":[{"url":"https://www.zoom.com/en/trust/security-bulletin/zsb-26007"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.0"}}},"cveMetadata":{"assignerOrgId":"99b9af0d-a833-4a5d-9e2f-8b1324f35351","assignerShortName":"Zoom","cveId":"CVE-2026-30905","datePublished":"2026-05-13T18:00:22.649Z","dateReserved":"2026-03-06T18:44:57.631Z","dateUpdated":"2026-05-13T18:55:08.369Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-13 19:17:05","lastModifiedDate":"2026-05-13 19:17:05","problem_types":["CWE-73","CWE-73 CWE-73 External control of file name or path"],"metrics":{"cvssMetricV31":[{"source":"security@zoom.us","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"30905","Ordinal":"1","Title":"CVE-2026-30905","CVE":"CVE-2026-30905","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"30905","Ordinal":"1","NoteData":"External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 may allow an authenticated user to conduct an escalation of privilege via local access.","Type":"Description","Title":"CVE-2026-30905"}]}}}