CVE-2026-57527: ZAP ViewState add-on insecure deserialization RCE
CVE-2026-57527 is verified against zaproxy/zap-extensions · github affected versions: ViewState add-on versions 1, 2, and 3 (before version 4) fixed version: ViewState add-on version 4 vulnerability class: RCE This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00249.
pruva-verify REPRO-2026-00249 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00249/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability. An attacker who controls a proxied web server can embed a malicious serialized Java object in a ViewState response; when ZAP's ViewState add-on parses it, arbitrary code execution occurs. Reproduce: install ZAP with the ViewState add-on <4, run ZAP as a proxy, and browse a malicious page that returns a crafted ViewState payload. The add-on deserializes the payload and executes code.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.