Lucene search
+L

6 matches found

NVD
NVD
added 2 days ago7 views

CVE-2026-45568

zrok is software for sharing web services, files, and network resources. Prior to 2.0.3, zrok's Python SDK ProxyShare Flask proxy route accepts an absolute URL in the request path and passes it to urllib.parse.urljoin, allowing the requested path to replace the configured target host and causing...

9.9CVSS0.00356EPSS
Exploits0References3
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-577 rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths

Summary Alice exposes a Python SDK ProxyShare with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to urllib.parse.urljoin, which replaces Alice's configured target host with Bob's host and returns the server-side response ...

9.9CVSS5.7AI score0.00356EPSS
Exploits0References5
Snyk
Snyk
added 2026/05/19 3:16 p.m.6 views

Directory Traversal

Overview zrok is a zrok Affected versions of this package are vulnerable to Directory Traversal due to Alice exposing a Python SDK ProxyShare with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to urllib.parse.urljoin, whi...

10CVSS6.4AI score0.00356EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/19 3:16 p.m.11 views

rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths

Summary Alice exposes a Python SDK ProxyShare with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to urllib.parse.urljoin, which replaces Alice's configured target host with Bob's host and returns the server-side response ...

9.9CVSS5.8AI score0.00356EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/04/17 9:1 p.m.24 views

CVE-2026-40303

CVE-2026-40303 (zrok) affects zrok prior to 2.0.1. The flaw is in endpoints.GetSessionCookie, which parses an attacker-supplied cookie chunk count and calls make([]string, count) without an upper bound before token validation. This enables unauthenticated remote attackers to trigger gigabyte-scal...

7.5CVSS5.8AI score0.00453EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/04/17 9:1 p.m.22 views

CVE-2026-40303 zrok allows unauthenticated DoS via unbounded memory allocation in striped session cookie parsing

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls makestring, count with no upper bound before any token validation occurs. The function is reached on every request t...

7.5CVSS0.00453EPSS
Exploits0References2
Rows per page
Query Builder