Description
Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.
Published: 2026-06-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Zed Attack Proxy’s ViewState add‑on before version 4 contains an insecure deserialization flaw that enables arbitrary code execution. The flaw resides in the JSFViewState.decode() method, which base64‑decodes the javax.faces.ViewState HTTP response parameter and forwards it directly to ObjectInputStream.readObject() without any deserialization filtering or type restrictions. Attacking a target that can inject a malicious serialized Java object into that ViewState value therefore results in the deserialization of that object within the ZAP desktop JVM and the execution of attacker‑supplied code.

Affected Systems

The vulnerability affects the Zed Attack Proxy (ZAP) ViewState add‑on distributed under the zaproxy:zap-extensions vendor for any version prior to the release tagged viewstate‑v4. Users running the add‑on on older releases should verify their current version and plan an upgrade if the add‑on is still installed.

Risk and Exploitability

The CVSS score of 8.7 indicates a high‑severity flaw, yet the EPSS score is not available, so the current probability of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an attacker who controls a proxied web server being able to inject a malicious ViewState payload; the flaw is not exploitable simply by visiting a target site, but requires manipulation of responses sent through ZAP’s proxy. Given the high severity and the lack of observable exploitation, administrators should treat this as a serious risk until a patch is applied.

Generated by OpenCVE AI on June 26, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ZAP to version 4 or later, including the viewstate add‑on release tagged viewstate‑v4, to remove the insecure deserialization code.
  • Configure ZAP so that only trusted internal services are proxied, limiting the ability of an unauthenticated user to supply crafted ViewState parameters.
  • If an upgrade cannot be performed immediately, disable the ViewState add‑on in the ZAP desktop UI to prevent rendering of malicious ViewState data.

Generated by OpenCVE AI on June 26, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.
Title ZAP ViewState Add-on Insecure Deserialization via JSFViewState.decode()
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-26T16:31:01.702Z

Reserved: 2026-06-24T15:58:58.538Z

Link: CVE-2026-57527

cve-icon Vulnrichment

Updated: 2026-06-26T16:28:34.885Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:30:05Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data