CVE-2026-42275
- EPSS 0.33%
- Veröffentlicht 08.05.2026 03:45:57
- Zuletzt bearbeitet 08.05.2026 20:03:27
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbo...
CVE-2026-40304
- EPSS 0.29%
- Veröffentlicht 17.04.2026 21:04:23
- Zuletzt bearbeitet 23.04.2026 18:33:27
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the mark...
CVE-2026-40303
- EPSS 0.45%
- Veröffentlicht 17.04.2026 21:01:51
- Zuletzt bearbeitet 23.04.2026 18:33:09
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation...
CVE-2026-40302
- EPSS 0.21%
- Veröffentlicht 17.04.2026 20:56:08
- Zuletzt bearbeitet 23.04.2026 18:32:53
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/template. The GitHub OAuth callback handlers in bot...