What is the CVSS score of EUVD-2026-28511?

EUVD-2026-28511 has a CVSS 3.1 base score of 8.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of zrok are affected by EUVD-2026-28511?

CVE-2026-42275 affects zrok's WebDAV drive backend, enabling unauthenticated attackers to read arbitrary files and overwrite critical system files like SSH authorized_keys if a symlink precondition…. A patch is available.

zrok EUVD-2026-28511

| CVE-2026-42275 HIGH

UNIX Symbolic Link (Symlink) Following (CWE-61)

2026-05-08 GitHub_M

GHSA-74m3-9qvm-rp9h

Path Traversal

8.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

May 08, 2026 - 05:01 EUVD

Source Code Evidence Fetched

May 08, 2026 - 04:34 vuln.today

Analysis Generated

May 08, 2026 - 04:34 vuln.today

CVE Published

May 08, 2026 - 03:45 nvd

HIGH 8.7

DescriptionNVD

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and-on shares without OS-level permission restrictions-write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.

AnalysisAI

Remote path traversal via symlink following in zrok's WebDAV drive backend allows unauthenticated network attackers to read arbitrary files accessible to the zrok process and overwrite critical system files (such as SSH authorized_keys) outside the intended share boundary. Attack complexity is high because exploitation requires a pre-existing symlink inside the shared directory pointing outside DriveRoot-a precondition typically created through local access or misconfiguration, not by the attacker. …

RemediationAI

Within 24 hours: inventory all zrok deployments and identify instances running WebDAV drive backend functionality. Within 7 days: upgrade zrok to version 2.0.2 or later (specifically incorporating commit 459bcfc1e121decae1b1d11c37ac94e4ed5bbf2e); audit shared directories for unexpected symlinks pointing outside DriveRoot. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-28511 vulnerability details – vuln.today

Back

zrok EUVD-2026-28511

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code