{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40302", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T20:22:44.036Z", "datePublished": "2026-04-17T20:56:08.368Z", "dateUpdated": "2026-04-18T03:07:10.092Z"}, "containers": {"cna": {"title": "zrok has reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openziti/zrok/security/advisories/GHSA-4fxq-2x3x-6xqx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openziti/zrok/security/advisories/GHSA-4fxq-2x3x-6xqx"}, {"name": "https://github.com/openziti/zrok/releases/tag/v2.0.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/openziti/zrok/releases/tag/v2.0.1"}], "affected": [{"vendor": "openziti", "product": "zrok", "versions": [{"version": "< 2.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T20:56:08.368Z"}, "descriptions": [{"lang": "en", "value": "zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when time.ParseDuration fails, and render that error unescaped into HTML. An attacker can deliver a crafted login URL to a victim; after the victim completes the GitHub OAuth flow, the callback page executes arbitrary JavaScript in the OAuth server's origin. Version 2.0.1 patches the issue."}], "source": {"advisory": "GHSA-4fxq-2x3x-6xqx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-18T03:07:00.447331Z", "id": "CVE-2026-40302", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-18T03:07:10.092Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when time.ParseDuration fails, and render that error unescaped into HTML. An attacker can deliver a crafted login URL to a victim; after the victim completes the GitHub OAuth flow, the callback page executes arbitrary JavaScript in the OAuth server's origin. Version 2.0.1 patches the issue."}], "id": "CVE-2026-40302", "lastModified": "2026-04-17T21:16:34.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T21:16:34.997", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openziti/zrok/releases/tag/v2.0.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/openziti/zrok/security/advisories/GHSA-4fxq-2x3x-6xqx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:57:29.879433+00:00", "value": {"mitigation_remediation": ["Upgrade to openziti zrok v2.0.1 or later.", "If an upgrade cannot be performed immediately, block or escape any refreshInterval query parameter in the callback URL to prevent unescaped rendering.", "Replace the use of text/template with a safe alternative such as html/template for all user\u2011supplied content to ensure proper HTML escaping."], "summary": {"action": "Immediate Patch", "impact": "Reflected XSS in OAuth callback"}, "threat_synthesis": {"affected_systems": "The issue affects any openziti zrok deployment running a release earlier than v2.0.1. Users of those versions should verify their installed version and plan an update to the patched release.", "description_and_impact": "zrok is a tool for sharing services that, before version 2.0.1, uses Go\u2019s text/template in its proxyUi engine, which performs no HTML escaping. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker\u2011controlled refreshInterval query parameter directly into an error message when time.ParseDuration fails. That error is rendered without escaping, allowing arbitrary JavaScript to execute in the OAuth server\u2019s origin. This flaw, grounded in CWE\u201179 (Cross\u2011Site Scripting) and CWE\u2011116 (Improper Encoding), lets an adversary inject code whenever a victim follows a malicious login link and completes the OAuth flow.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.1, indicating moderate severity, and currently has no EPSS score available. It is not listed in CISA\u2019s KEV catalog. The likely attack vector requires a victim to click a crafted OAuth URL; after authentication, the callback page executes the injected script in the context of the OAuth provider\u2019s origin, enabling client\u2011side compromise of the user\u2019s session."}}}}, "created": "2026-04-18T09:00:05.902117+00:00", "updated": "2026-04-18T09:00:05.902137+00:00", "vendors": []}