CVE-2026-30905

{"id": "CVE-2026-30905", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@zoom.us", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-05-13T19:17:05.367", "references": [{"url": "https://www.zoom.com/en/trust/security-bulletin/zsb-26007", "tags": ["Vendor Advisory"], "source": "security@zoom.us"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@zoom.us", "description": [{"lang": "en", "value": "CWE-73"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-610"}]}], "descriptions": [{"lang": "en", "value": "External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 may allow an authenticated user to conduct an escalation of privilege via local access."}], "lastModified": "2026-06-03T01:26:11.010", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zoom:workplace_virtual_desktop_infrastructure:*:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "71CB5B38-4382-4E63-8ED6-D4E7CE2ADD04", "versionEndExcluding": "6.6.11"}], "operator": "OR"}]}], "sourceIdentifier": "security@zoom.us"}