6.1
CVE-2026-40302
- EPSS 0.21%
- Veröffentlicht 17.04.2026 20:56:08
- Zuletzt bearbeitet 23.04.2026 18:32:53
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Loginzrok has reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when time.ParseDuration fails, and render that error unescaped into HTML. An attacker can deliver a crafted login URL to a victim; after the victim completes the GitHub OAuth flow, the callback page executes arbitrary JavaScript in the OAuth server's origin. Version 2.0.1 patches the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Netfoundry ≫ Zrok Version < 2.0.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.21% | 0.109 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-116 Improper Encoding or Escaping of Output
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/openziti/zrok/security/advisories/GHSA-4fxq-2x3x-6xqx
https://github.com/openziti/zrok/releases/tag/v2.0.1