CVE-2026-40302

MEDIUM

zrok has reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering

Title source: cna

Description

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when time.ParseDuration fails, and render that error unescaped into HTML. An attacker can deliver a crafted login URL to a victim; after the victim completes the GitHub OAuth flow, the callback page executes arbitrary JavaScript in the OAuth server's origin. Version 2.0.1 patches the issue.

References (2)

[X_Refsource_Confirm] https://github.com/openziti/zrok/security/advisories/GHSA-4fxq-2x3x-6xqx

[X_Refsource_Misc] https://github.com/openziti/zrok/releases/tag/v2.0.1

Scores

CVSS v3 6.1

EPSS 0.0001

EPSS Percentile 1.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-116 CWE-79

Status published

Products (2)

netfoundry/zrok < 2.0.1

openziti/zrok < 2.0.1

Published Apr 17, 2026

Tracked Since Apr 18, 2026