EIP-2026-114615

This exploit demonstrates an authenticated command injection vulnerability in Zentao Project Management System 17.0, allowing remote code execution via the 'client' parameter in a POST request to the repo creation endpoint. The exploit authenticates, then injects a command into the 'client' field, which is executed via the 'exec' function in the vulnerable PHP code.