Package impact
Go / github.com/openziti/zrok
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42275 | high | 8.7 | 8.7 | 22d ago | zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write | |||
| CVE-2026-45576 | high | — | 8.0 | 10d ago | zrok copy writes attacker-controlled WebDAV paths outside the destination root | |||
| CVE-2026-40304 | unknown | — | — | 1mo ago | zrok: Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records | |||
| CVE-2026-40303 | unknown | — | — | 1mo ago | zrok: Unauthenticated DoS via unbounded memory allocation in striped session cookie parsing | |||
| CVE-2026-40302 | unknown | — | — | 1mo ago | zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering |