From the CVE:
- Note: This vulnerability applies to Java deployments, typically in
clients running sandboxed Java Web Start applications or sandboxed Java
applets, that load and run untrusted code (e.g., code that comes from
the internet) and rely on the Java sandbox for security.
ZAP uses GraalVM for user scripting which runs in ZAP and does not use it to load any code, untrusted or otherwise.
In theory a ZAP user could use it to load untrusted code, but that would be very unwise.
Unless anyone disagrees I think this means it does not impact ZAP.
However we will look at upgrading GraalVM to a more recent version soon.