CVE-2026-40302

Summary The proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when time.ParseDuration fails, and render that error unescaped into HTML. An attacker can deliver a crafted login URL to a victim; after the victim completes the GitHub OAuth flow, the callback page executes arbitrary JavaScript in the OAuth server's origin.

• Attack Vector: Network - the attack is delivered as a crafted URL over the internet.
• Attack Complexity: Low - no race conditions or special environment prerequisites.
• Privileges Required: None - the attacker needs no account on the zrok instance.
• User Interaction: Required - the victim must click the crafted link and complete the GitHub OAuth flow.
• Scope: Changed - the injected script executes in the OAuth server's origin, not the victim's share origin.
• Confidentiality Impact: Low - the script runs in the OAuth server origin after a failed flow; no session cookie is set at this point, limiting what can be exfiltrated to what is visible in the DOM and what can be requested from the OAuth server.
• Integrity Impact: Low - the script can initiate new OAuth flows or submit forms on behalf of the victim in the OAuth server origin.
• Availability Impact: None.

Affected Components

• endpoints/proxyUi/template.go - init() / WriteTemplate (lines 8, 18, 99) - text/template used for HTML rendering
• endpoints/proxyUi/template.html - line 119 - {{ .Error }} in HTML without escaping
• endpoints/publicProxy/providerGithub.go - login callback closure (lines 93, 128, 130)
• endpoints/dynamicProxy/providerGithub.go - loginHandler() (lines 110, 146, 148)