zrok
by zrok
CVEs (1)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-45576 | hig | 0.45 | — | — | May 19, 2026 | ## Summary Alice runs `zrok2 copy` from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV `href` such as `/../outside.txt`. The sync pipeline stores that path in the source inventory and passes it to `FilesystemTarget.WriteStream`, which joins it with the target root and creates the file outside Alice's selected directory. ### Impact Users given access to a zrok share may be able to traverse the directory tree arbitrarily with the sharing users credentials, allowing for sensitive information to be overwritten. |
- risk 0.45cvss —epss —
## Summary Alice runs `zrok2 copy` from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV `href` such as `/../outside.txt`. The sync pipeline stores that path in the source inventory and passes it to `FilesystemTarget.WriteStream`, which joins it with the target root and creates the file outside Alice's selected directory. ### Impact Users given access to a zrok share may be able to traverse the directory tree arbitrarily with the sharing users credentials, allowing for sensitive information to be overwritten.