Vulnerability Description
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when time.ParseDuration fails, and render that error unescaped into HTML. An attacker can deliver a crafted login URL to a victim; after the victim completes the GitHub OAuth flow, the callback page executes arbitrary JavaScript in the OAuth server's origin. Version 2.0.1 patches the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netfoundry | Zrok | < 2.0.1 |
Related Weaknesses (CWE)
References
- https://github.com/openziti/zrok/releases/tag/v2.0.1Release Notes
- https://github.com/openziti/zrok/security/advisories/GHSA-4fxq-2x3x-6xqxVendor Advisory
FAQ
What is CVE-2026-40302?
CVE-2026-40302 is a vulnerability with a CVSS score of 6.1 (MEDIUM). zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/t...
How severe is CVE-2026-40302?
CVE-2026-40302 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40302?
Check the references section above for vendor advisories and patch information. Affected products include: Netfoundry Zrok.