All 3 CVE vulnerabilities found in zrok, with AI-generated Chinese analysis, references, and POCs.
Vendor: openziti
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-40304 | zrok's broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records CWE-284 | 5.3 | Medium | 2026-04-17 |
| CVE-2026-40303 | zrok allows unauthenticated DoS via unbounded memory allocation in striped session cookie parsing CWE-400 | 7.5 | High | 2026-04-17 |
| CVE-2026-40302 | zrok has reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering CWE-79 | 6.1 | Medium | 2026-04-17 |
All 3 known CVE vulnerabilities affecting zrok with full Chinese analysis, references, and POCs where available.