Product
The zrok Python SDK `ProxyShare` is vulnerable to server-side request forgery (SSRF) via CVE-2026-45568. When a user sends a request with an absolute URL in the path, the Flask handler passes that path to `urllib.parse.urljoin`, which replaces the configured target host with the user-supplied host, causing the proxy to send the request to an attacker-chosen URL.