ZAP ViewState Add-on Insecure Deserialization via JSFViewState.decode()_CVE-2026-57527

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.

AI Analysis

Insecure deserialization vulnerability in ZAP ViewState add-on before version 4, allowing arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter.

Basic Information

ID CVE-2026-57527

Source VulnCheck

Published Jun 26, 2026 at 14:43

Modified Jun 26, 2026 at 16:31

Affected Product

Vendor zaproxy

Product zap-extensions

Affected Versions zaproxy zap-extensions 0

CWE Classification

CWE-502

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor ZAP

Product ZAP ViewState add-on

Version before version 4

References

{
    "lastseen": "",
    "description": "Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.",
    "published": "2026-06-26T14:43:32.982Z",
    "modified": "2026-06-26T16:31:01.702Z",
    "type": "cve",
    "title": "ZAP ViewState Add-on Insecure Deserialization via JSFViewState.decode()",
    "source": "VulnCheck",
    "references": "https://www.zaproxy.org/blog/2026-06-24-java-deserialization-vulnerability-in-zap-viewstate-addon/\nhttps://github.com/zaproxy/zap-extensions/releases/tag/viewstate-v4\nhttps://github.com/zaproxy/zap-extensions/pull/7481\nhttps://github.com/zaproxy/zap-extensions/commit/ac6c3f94d38505bc0facea286a4d3728044c6e5c\nhttps://www.vulncheck.com/advisories/zap-viewstate-add-on-insecure-deserialization-via-jsfviewstate-decode",
    "id": "CVE-2026-57527",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "zaproxy zap-extensions 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "zap-extensions",
    "version": "0",
    "vendor": "zaproxy",
    "ai_description": "Insecure deserialization vulnerability in ZAP ViewState add-on before version 4, allowing arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter.",
    "ai_severity": "High",
    "ai_vendor": "ZAP",
    "ai_product": "ZAP ViewState add-on",
    "ai_version": "before version 4",
    "ai_score": 8.7
}