CVE Catalog

CVE-2026-57527

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Summary

The ViewState add-on for Zed Attack Proxy (ZAP) before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve remote code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.

Risk Assessment

An attacker can remotely execute arbitrary code in the context of the ZAP application, potentially leading to tool compromise, data theft, or further attacks on the organization's infrastructure.

Recommendation

Immediately update the ViewState add-on to version 4 or later, which fixes the vulnerability. If an update is not possible, temporarily disable the add-on or restrict ZAP access to trusted proxy servers only.

Original NVD description (English source)

Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS