github.com/openziti/zrok/v2

Go4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting github.com/openziti/zrok/v2page 1 of 1

CVE-2026-40302MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.0.1
2026-04-17
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/template. The GitHub OAuth callback hand…
CVE-2026-40303HIGHCVSS 7.5EG 7.5✓ Fixed in 2.0.1
2026-04-17
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token…
CVE-2026-40304MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.0.1
2026-04-17
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NUL…
CVE-2026-42275HIGHCVSS 8.7EG 8.7✓ Fixed in 2.0.2
2026-05-08
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. W…

Check whether github.com/openziti/zrok/v2 is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/openziti/zrok/v2 CVEs against the assets you own.

Start Free Scan →