Vulnerability Description
Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/zaproxy/zap-extensions/commit/ac6c3f94d38505bc0facea286a4d372
- https://github.com/zaproxy/zap-extensions/pull/7481
- https://github.com/zaproxy/zap-extensions/releases/tag/viewstate-v4
- https://www.vulncheck.com/advisories/zap-viewstate-add-on-insecure-deserializati
- https://www.zaproxy.org/blog/2026-06-24-java-deserialization-vulnerability-in-za
FAQ
What is CVE-2026-57527?
CVE-2026-57527 is a vulnerability with a CVSS score of 8.8 (HIGH). Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution b...
How severe is CVE-2026-57527?
CVE-2026-57527 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-57527?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.