Webdriver Update

[zapbot]

ChromeDriver update to 147.0.7727.24

Signed-off-by: zapbot 12745184+zapbot@users.noreply.github.com

[psiinon]

Checkmarx One – Scan Summary & Details – bcde1fa6-b257-4034-8be9-d1aeb361b225

---

New Issues (158)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		Stored_Code_Injection	/addOns/graaljs/src/main/java/org/zaproxy/zap/extension/graaljs/PacScript.java: 107	details The application's  method receives and dynamically executes user-controlled code using eval, at line 143 of /addOns/graaljs/src/main/java/org/zapr... Attack Vector
2		Stored_XSS	/addOns/plugnhack/src/main/java/org/zaproxy/zap/extension/plugnhack/PlugNHackAPI.java: 300	details The method embeds untrusted data in generated output with append, at line 301 of /addOns/plugnhack/src/main/java/org/zaproxy/zap/extension/plugnha... Attack Vector
3		Absolute_Path_Traversal	/addOns/selenium/src/main/java/org/zaproxy/zap/extension/selenium/internal/DialogCustomBrowser.java: 363	details Method at line 363 of /addOns/selenium/src/main/java/org/zaproxy/zap/extension/selenium/internal/DialogCustomBrowser.java gets dynamic data from ... Attack Vector
4		Absolute_Path_Traversal	/addOns/selenium/src/main/java/org/zaproxy/zap/extension/selenium/internal/DialogCustomBrowser.java: 331	details Method at line 331 of /addOns/selenium/src/main/java/org/zaproxy/zap/extension/selenium/internal/DialogCustomBrowser.java gets dynamic data from ... Attack Vector
5		Absolute_Path_Traversal	/addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java: 223	details Method at line 223 of /addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java gets dynamic data from the getText element... Attack Vector
6		Absolute_Path_Traversal	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 400	details Method at line 400 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java gets dy... Attack Vector
7		Absolute_Path_Traversal	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 432	details Method at line 432 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java gets dy... Attack Vector
8		Absolute_Path_Traversal	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 441	details Method at line 441 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java gets dy... Attack Vector
9		Absolute_Path_Traversal	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 612	details Method at line 612 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java gets dy... Attack Vector
10		Absolute_Path_Traversal	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 663	details Method at line 663 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java gets dy... Attack Vector
11		Absolute_Path_Traversal	/addOns/jython/src/main/java/org/zaproxy/zap/extension/jython/JythonOptionsPanel.java: 111	details Method at line 111 of /addOns/jython/src/main/java/org/zaproxy/zap/extension/jython/JythonOptionsPanel.java gets dynamic data from the getText el... Attack Vector
12		Absolute_Path_Traversal	/addOns/network/src/main/java/org/zaproxy/addon/network/ClientCertificatesOptionsPanel.java: 206	details Method at line 206 of /addOns/network/src/main/java/org/zaproxy/addon/network/ClientCertificatesOptionsPanel.java gets dynamic data from the getT... Attack Vector
13		Absolute_Path_Traversal	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/ui/AddPkcs11DriverDialog.java: 96	details Method at line 96 of /addOns/network/src/main/java/org/zaproxy/addon/network/internal/ui/AddPkcs11DriverDialog.java gets dynamic data from the ge... Attack Vector
14		Absolute_Path_Traversal	/addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java: 297	details Method at line 297 of /addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java gets dynamic data from the getText element... Attack Vector
15		Absolute_Path_Traversal	/addOns/reports/src/main/java/org/zaproxy/addon/reports/ReportDialog.java: 153	details Method at line 153 of /addOns/reports/src/main/java/org/zaproxy/addon/reports/ReportDialog.java gets dynamic data from the getText element. This... Attack Vector
16		Absolute_Path_Traversal	/addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java: 335	details Method at line 335 of /addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java gets dynamic data from the getText element... Attack Vector
17		Cleartext_Submission_of_Sensitive_Information	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/apachev5/HttpSenderApache.java: 446	details Potentially sensitive personal information credentialsProvider, at line 446 of /addOns/network/src/main/java/org/zaproxy/addon/network/internal/cli... Attack Vector
18		Improper_Restriction_of_Stored_XXE_Ref	/addOns/reports/src/test/java/org/zaproxy/addon/reports/ReportTestUtils.java: 236	details The loads and parses XML using parse, at line 452 of /addOns/reports/src/test/java/org/zaproxy/addon/reports/ExtensionReportsXmlUnitTest.java. ... Attack Vector
19		Improper_Restriction_of_Stored_XXE_Ref	/addOns/reports/src/test/java/org/zaproxy/addon/reports/ReportTestUtils.java: 236	details The loads and parses XML using parse, at line 419 of /addOns/reports/src/test/java/org/zaproxy/addon/reports/ExtensionReportsXmlUnitTest.java. ... Attack Vector
20		Improper_Restriction_of_Stored_XXE_Ref	/addOns/reports/src/test/java/org/zaproxy/addon/reports/ReportTestUtils.java: 236	details The loads and parses XML using parse, at line 386 of /addOns/reports/src/test/java/org/zaproxy/addon/reports/ExtensionReportsXmlUnitTest.java. ... Attack Vector
21		Improper_Restriction_of_Stored_XXE_Ref	/addOns/reports/src/test/java/org/zaproxy/addon/reports/ReportTestUtils.java: 236	details The loads and parses XML using parse, at line 364 of /addOns/reports/src/test/java/org/zaproxy/addon/reports/ExtensionReportsXmlUnitTest.java. ... Attack Vector
22		Improper_Restriction_of_Stored_XXE_Ref	/addOns/todo/src/main/java/org/zaproxy/zap/extension/todo/TodoList.java: 131	details The loads and parses XML using parse, at line 133 of /addOns/todo/src/main/java/org/zaproxy/zap/extension/todo/TodoList.java. This XML was rece... Attack Vector
23		Improper_Restriction_of_Stored_XXE_Ref	/addOns/saml/src/main/java/org/zaproxy/zap/extension/saml/SAMLConfiguration.java: 78	details The loads and parses XML using unmarshal, at line 248 of /addOns/saml/src/main/java/org/zaproxy/zap/extension/saml/SAMLConfiguration.java. This... Attack Vector
24		SSRF	/addOns/network/src/main/java/org/apache/hc/client5/http/impl/classic/ZapInternalHttpClient.java: 188	details The application sends a request to a remote server, for some resource, using execute in /addOns/network/src/main/java/org/apache/hc/client5/http/im... Attack Vector
25		SSRF	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/LegacyUtils.java: 47	details The application sends a request to a remote server, for some resource, using execute in /addOns/network/src/main/java/org/zaproxy/addon/network/int... Attack Vector
26		SSRF	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/LegacyUtils.java: 53	details The application sends a request to a remote server, for some resource, using execute in /addOns/network/src/main/java/org/zaproxy/addon/network/int... Attack Vector
27		SSRF	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/LegacyUtils.java: 56	details The application sends a request to a remote server, for some resource, using execute in /addOns/network/src/main/java/org/zaproxy/addon/network/int... Attack Vector
28		SSRF	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/LegacyUtils.java: 46	details The application sends a request to a remote server, for some resource, using execute in /addOns/network/src/main/java/org/zaproxy/addon/network/int... Attack Vector
29		Missing_HSTS_Header	/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java: 986	details The web-application does not define an HSTS header, leaving it vulnerable to attack. Attack Vector
30		Privacy_Violation	/addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/LlmAppendHttpMessageMenu.java: 53	details Method at line 53 of /addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/LlmAppendHttpMessageMenu.java sends user information outside the applicat... Attack Vector
31		Privacy_Violation	/addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java: 201	details Method at line 201 of /addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java sends user information outside the ap... Attack Vector
32		Privacy_Violation	/addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/LlmChatPanel.java: 240	details Method at line 240 of /addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/LlmChatPanel.java sends user information outside the application. This ... Attack Vector
33		Privacy_Violation	/addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java: 206	details Method at line 206 of /addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java sends user information outside the ap... Attack Vector
34		Privacy_Violation	/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java: 119	details Method at line 119 of /addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java sends user inform... Attack Vector
35		Privacy_Violation	/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java: 120	details Method at line 120 of /addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java sends user inform... Attack Vector
36		SSL_Verification_Bypass	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/apachev5/h2/ZapClientTlsStrategy.java: 197	details /addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/apachev5/h2/ZapClientTlsStrategy.java relies HTTPS requests, in . The x50... Attack Vector
37		Unchecked_Input_for_Loop_Condition	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java: 696	details Method at line 696 of /addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java obtains user input from getVariableName - the ... Attack Vector
38		Unchecked_Input_for_Loop_Condition	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java: 697	details Method at line 697 of /addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java obtains user input from getCookieName - the ra... Attack Vector
39		Unchecked_Input_for_Loop_Condition	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java: 695	details Method at line 695 of /addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java obtains user input from getWindowHandle - the ... Attack Vector
40		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/DefaultStringPayloadGeneratorUIHandler.java: 257	details Method at line 257 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/DefaultStringPayloadGeneratorUIHandler.java obta... Attack Vector
41		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/RegexPayloadGeneratorUIHandler.java: 381	details Method at line 381 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/RegexPayloadGeneratorUIHandler.java obtains user... Attack Vector
42		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/RegexPayloadGeneratorUIHandler.java: 381	details Method at line 381 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/RegexPayloadGeneratorUIHandler.java obtains user... Attack Vector
43		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 441	details Method at line 441 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java obtains... Attack Vector
44		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 444	details Method at line 444 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java obtains... Attack Vector
45		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 612	details Method at line 612 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java obtains... Attack Vector
46		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 617	details Method at line 617 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java obtains... Attack Vector
47		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/JsonPayloadGeneratorAdapterUIHandler.java: 169	details Method at line 169 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/JsonPayloadGeneratorAdapterUIHandler.java obtain... Attack Vector
48		Unchecked_Input_for_Loop_Condition	/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java: 466	details Method at line 466 of /addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java obtains user ... Attack Vector
49		Unchecked_Input_for_Loop_Condition	/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java: 971	details Method at line 971 of /addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java obtains user input from... Attack Vector
50		Use_Of_Hardcoded_Password	/addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/AuthUtils.java: 178	details The application uses the hard-coded password PASSWORD for authentication purposes, either using it to verify users' identities, or to access anoth... Attack Vector
51		Use_Of_Hardcoded_Password	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestAuthenticationRunner.java: 68	details The application uses the hard-coded password PASSWORD for authentication purposes, either using it to verify users' identities, or to access anoth... Attack Vector
52		Use_Of_Hardcoded_Password	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestAuthenticationRunner.java: 65	details The application uses the hard-coded password OLD_PASSWORD for authentication purposes, either using it to verify users' identities, or to access ... Attack Vector
53		Use_Of_Hardcoded_Password	/addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/internal/ClientSideHandlerUnitTest.java: 64	details The application uses the hard-coded password TEST_PASSWORD for authentication purposes, either using it to verify users' identities, or to access... Attack Vector
54		Use_Of_Hardcoded_Password	/addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/AuthDiagnosticCollectorUnitTest.java: 236	details The application uses the hard-coded password ""mySuperSecretPassword"" for authentication purposes, either using it to verify users' identities, o... Attack Vector
55		Use_Of_Hardcoded_Password	/addOns/automation/src/main/java/org/zaproxy/addon/automation/ContextWrapper.java: 518	details The application uses the hard-coded password PASSWORD_CREDENTIAL for authentication purposes, either using it to verify users' identities, or to ... Attack Vector
56		Use_Of_Hardcoded_Password	/addOns/bugtracker/src/main/java/org/zaproxy/zap/extension/bugtracker/BugTrackerBugzillaParam.java: 41	details The application uses the hard-coded password CONFIG_PASSWORD_KEY for authentication purposes, either using it to verify users' identities, or to... Attack Vector
57		Use_Of_Hardcoded_Password	/addOns/network/src/main/java/org/zaproxy/addon/network/NetworkApi.java: 141	details The application uses the hard-coded password PARAM_PASSWORD for authentication purposes, either using it to verify users' identities, or to acces... Attack Vector
58		Use_Of_Hardcoded_Password	/addOns/network/src/test/java/org/zaproxy/addon/network/LegacyConnectionParamUnitTest.java: 57	details The application uses the hard-coded password PASSWORD for authentication purposes, either using it to verify users' identities, or to access anoth... Attack Vector
59		Use_Of_Hardcoded_Password	/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRuleUnitTest.java: 53	details The application uses the hard-coded password pass for authentication purposes, either using it to verify users' identities, or to access another r... Attack Vector
60		Use_Of_Hardcoded_Password	/addOns/network/src/test/java/org/zaproxy/addon/network/internal/client/KeyStoreEntryUnitTest.java: 66	details The application uses the hard-coded password ""password"" for authentication purposes, either using it to verify users' identities, or to access a... Attack Vector
61		Use_Of_Hardcoded_Password	/addOns/network/src/test/java/org/zaproxy/addon/network/internal/client/CertificateEntryUnitTest.java: 55	details The application uses the hard-coded password ""password"" for authentication purposes, either using it to verify users' identities, or to access a... Attack Vector
62		Use_Of_Hardcoded_Password_In_Config	/addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_tr_TR.properties: 12	details The configuration file /addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_tr_TR.properties contains a har... Attack Vector
63		Use_Of_Hardcoded_Password_In_Config	/addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_bs_BA.properties: 12	details The configuration file /addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_bs_BA.properties contains a har... Attack Vector
64		Use_Of_Hardcoded_Password_In_Config	/addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_fr_FR.properties: 12	details The configuration file /addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_fr_FR.properties contains a har... Attack Vector
65		Use_Of_Hardcoded_Password_In_Config	/addOns/bugtracker/src/main/resources/org/zaproxy/zap/extension/bugtracker/resources/Messages_vi_VN.properties: 107	details The configuration file /addOns/bugtracker/src/main/resources/org/zaproxy/zap/extension/bugtracker/resources/Messages_vi_VN.properties contains a... Attack Vector
66		Use_Of_Hardcoded_Password_In_Config	/addOns/zest/src/main/resources/org/zaproxy/zap/extension/zest/resources/Messages_es_ES.properties: 357	details The configuration file /addOns/zest/src/main/resources/org/zaproxy/zap/extension/zest/resources/Messages_es_ES.properties contains a hardcoded p... Attack Vector
67		Use_Of_Hardcoded_Password_In_Config	/addOns/zest/src/main/resources/org/zaproxy/zap/extension/zest/resources/Messages_hu_HU.properties: 357	details The configuration file /addOns/zest/src/main/resources/org/zaproxy/zap/extension/zest/resources/Messages_hu_HU.properties contains a hardcoded p... Attack Vector

More results are available on the CxOne platform

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

[kingthorin]

Chrome 147 stable was released for desktop (Windows, Mac, Linux) on March 25, 2026, as part of an early stable update, following its Beta promotion on March 11, 2026. The official full stable release is scheduled for April 7, 2026

[thc202]

I'm not seeing any updates yet in Chrome.

[kingthorin]

On the side I'll start looking into a way to check the dates in the workflow.

I had previously found a place where they publish them via JSON.

[thc202]

https://chromiumdash.appspot.com/schedule
Stable Release Tue, Apr 7, 2026

[thc202]

This is now missing releases for 146 (146.0.7680.178), though probably not a problem.

[kingthorin]

We're past the 7th (when you read this), so it should be good to go.

[thc202]

Best way is to see if Chrome wants update (which it wants) not the date.