Princey I do not intend to damage the community. The community does that itself pretty well.
I will not post detailed vulnerability reports.
The general list of vulnerabilities is here:
https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013if you need examples that this is true:
item 1) look at
http://zero-k.info/Forum/Thread/9936 (last message suggest same class of bug was introduced again recently)
item 2) look at
https://code.google.com/p/zero-k/issues/detail?id=1170item 3) I reported bugs in the past... such as using the amazing forum to inject javascript. Of course, this can still be done.
...
ZK infra is vulnerable to each and every class of problem.
It is fantastic teaching material if you are into teaching good programming practices or security.
If you can upload a file, you can abuse it... to crash the server, to hack the players, to serve malware.
If you can enter data in a field, there are fairly good chances you can abuse it.
If you can access the server, you can crash it.
If you use ZKL, you are at risk of installing malware coming from anywhere.
Those are my general observations.
I will only post funny stuff then... showing quality of the code rather than vulnerabilities.