CVE-2026-40302
Received Received - Intake
Cross-Site Scripting in zrok OAuth Callback via Unescaped Input

Publication date: 2026-04-17

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when time.ParseDuration fails, and render that error unescaped into HTML. An attacker can deliver a crafted login URL to a victim; after the victim completes the GitHub OAuth flow, the callback page executes arbitrary JavaScript in the OAuth server's origin. Version 2.0.1 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40302
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
netfoundry zrok to 2.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the zrok software prior to version 2.0.1. The issue arises because the proxyUi template engine uses Go's text/template, which does not perform HTML escaping, instead of html/template. Specifically, the GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter directly into an error message without escaping it. When time.ParseDuration fails, this error message is rendered unescaped into HTML. An attacker can exploit this by crafting a malicious login URL that, after the victim completes the GitHub OAuth flow, causes the callback page to execute arbitrary JavaScript in the OAuth server's origin.

Impact Analysis

This vulnerability can lead to cross-site scripting (XSS) attacks, allowing an attacker to execute arbitrary JavaScript in the context of the OAuth server's origin. This can result in unauthorized actions being performed on behalf of the victim, theft of sensitive information such as authentication tokens or cookies, and potential compromise of user accounts or sessions.

Mitigation Strategies

To mitigate this vulnerability, upgrade zrok to version 2.0.1 or later, as this version patches the issue with the proxyUi template engine and the GitHub OAuth callback handlers.

Compliance Impact

The vulnerability allows an attacker to execute arbitrary JavaScript in the OAuth server's origin by embedding attacker-controlled input into an error message without proper HTML escaping. This can lead to cross-site scripting (XSS) attacks, potentially exposing sensitive user information or session data.

Such exposure and unauthorized access to user data could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring secure handling of authentication processes.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40302. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart