CVE-2026-42275HIGH 8.7EPSS p24.6%

CVE-2026-42275CVE-2026-42275

Description

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.

Scoring

CVSS 3.18.7 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS0.33% probability of exploitation · percentile 24.6% · 2026-06-19T12:03:05Z
Published2026-05-08
Last modified2026-05-08

Underlying weaknesses· 2

CWE-22CWE-61

References

  1. https://github.com/openziti/zrok/commit/459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e
  2. https://github.com/openziti/zrok/releases/tag/v2.0.2
  3. https://github.com/openziti/zrok/security/advisories/GHSA-74m3-9qvm-rp9h

2

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live
WeaknessUNIX Symbolic Link (Symlink) Followingcwe-610%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44051
CVE
CVE-2025-66945
CVE
CVE-2026-29064
CVE
CVE-2026-1933
CVE
CVE-2016-20029
CVE
CVE-2026-29205
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.