CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-57527

highCVSS 8.8covered by 1 sourcefirst seen 2026-06-26
Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel.

⚡ Watch CVE-2026-57527

Get an email if CVE-2026-57527 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-57527

CVE.org record

Embed the live status

CVE-2026-57527 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-57527 status](https://www.csirts.com/badge/CVE-2026-57527)](https://www.csirts.com/cve/CVE-2026-57527)