Zrok

A path traversal vulnerability exists in zrok copy (CVE-2026-45576) where an attacker-controlled WebDAV or zrok drive can write files outside the destination root by manipulating the DAV `href` response.

The zrok Python SDK `ProxyShare` is vulnerable to server-side request forgery (SSRF) via CVE-2026-45568. When a user sends a request with an absolute URL in the path, the Flask handler passes that path to `urllib.parse.urljoin`, which replaces the configured target host with the user-supplied host, causing the proxy to send the request to an attacker-chosen URL.

An unauthenticated attacker can cause a denial-of-service (DoS) in zrok by sending a crafted HTTP request with a large cookie chunk count to an OAuth-protected proxy share, triggering unbounded memory allocation and leading to process termination.