VYPR

Zrok

by Openziti

Source repositories

CVEs (3)

  • CVE-2026-45568criMay 19, 2026
    risk 0.52cvss epss 0.00

    ## Summary Alice exposes a Python SDK `ProxyShare` with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to `urllib.parse.urljoin`, which replaces Alice's configured target host with Bob's host and returns…

  • CVE-2026-42275HigMay 8, 2026
    risk 0.50cvss 8.7epss 0.00

    zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared…

  • CVE-2026-45576higMay 19, 2026
    risk 0.38cvss epss 0.00

    ## Summary Alice runs `zrok2 copy` from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV `href` such as `/../outside.txt`. The sync pipeline stores that path in the source inventory and passes it to `FilesystemTarget.WriteStream`, which…

VYPR — Vulnerability Intelligence