CVE-2026-40302

Name of the Vulnerable Software and Affected Versions zrok versions prior to 2.0.1

Description The proxyUi template engine utilizes Go's text/template, which does not perform HTML escaping, rather than html/template. The GitHub OAuth callback handlers in 'publicProxy' and 'dynamicProxy' embed the attacker-controlled refreshInterval query parameter directly into an error message when the time.ParseDuration() function fails. This error is then rendered unescaped into HTML. An attacker can provide a crafted login URL to a victim, and upon completion of the GitHub OAuth flow, the callback page executes arbitrary JavaScript in the OAuth server's origin.

Recommendations Update to version 2.0.1.