Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1154

NIXPKGS-2026-1154
published on
Permalink CVE-2026-40302
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 1 week, 3 days ago by @LeSuisse Activity log
  • Created suggestion 1 week, 4 days ago
  • @LeSuisse ignored maintainer @bennyandresen 1 week, 3 days ago maintainer.ignore
  • @LeSuisse accepted 1 week, 3 days ago
  • @LeSuisse published on GitHub 1 week, 3 days ago
zrok has reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when time.ParseDuration fails, and render that error unescaped into HTML. An attacker can deliver a crafted login URL to a victim; after the victim completes the GitHub OAuth flow, the callback page executes arbitrary JavaScript in the OAuth server's origin. Version 2.0.1 patches the issue.

Affected products

zrok
  • ==< 2.0.1

Matching in nixpkgs

pkgs.zrok

Geo-scale, next-generation sharing platform built on top of OpenZiti

Package maintainers

Ignored maintainers (1)