Lucene search
K
NetfoundryZrok

4 matches found

CVE
CVE
added 2026/05/08 3:45 a.m.38 views

CVE-2026-42275

The CVE-2026-42275 issue affects zrok’s WebDAV drive backend (davServer.Dir) where symbolic links inside the shared DriveRoot are not prevented from pointing outside the root. This allows remote WebDAV clients to read files and, on shares with lax OS permissions, overwrite files anywhere on the h...

8.7CVSS5.8AI score0.0033EPSS
CVE
CVE
added 2026/04/17 9:1 p.m.21 views

CVE-2026-40303

CVE-2026-40303 (zrok) affects zrok prior to 2.0.1. The flaw is in endpoints.GetSessionCookie, which parses an attacker-supplied cookie chunk count and calls make([]string, count) without an upper bound before token validation. This enables unauthenticated remote attackers to trigger gigabyte-scal...

7.5CVSS5.8AI score0.00453EPSS
CVE
CVE
added 2026/04/17 8:56 p.m.15 views

CVE-2026-40302

CVE-2026-40302 affects zrok prior to v2.0.1. The proxyUi template engine used Go's text/template (no HTML escaping), leading to reflected XSS via an attacker-controlled refreshInterval error rendered in the GitHub OAuth callback. An attacker can send a crafted login URL; after OAuth completes, th...

6.1CVSS5.8AI score0.00209EPSS
CVE
CVE
added 2026/04/17 9:4 p.m.14 views

CVE-2026-40304

CVE-2026-40304 affects the zrok controller, where the unaccess handler (controller/unaccess.go) uses a faulty ownership guard. If a frontend record has environment_id = NULL (global admin-created frontends), the guard may short-circuit to false, letting a non-admin with a valid global frontend to...

5.3CVSS5.7AI score0.00286EPSS
Web