A bug which allows unlimited creation of coins was found and fixed in ZeroCash.
It is a sophisticated and subtle security flaw. We read that:
To exploit the counterfeiting vulnerability, an attacker would have needed to possess information found in the large MPC protocol transcript that was made available shortly after the launch of Zcash. This transcript had not been widely downloaded and was removed from public availability immediately upon discovery of the vulnerability to make it more difficult to exploit. The Zcash Company adopted and maintained a cover story that the transcript was missing due to accidental deletion. The transcript was later reconstructed from DVDs collected from the participants of the original ceremony and posted following the Sapling activation.
Source: ZCash blog here.
Added May 2019:
For decades we have heard toxic propaganda claiming that open source software is secure, that peer-reviewed research is correct and accurate etc. Again evidence says the contrary: In Australia they had printed and circulated 46 million bank notes with a typo and nobody noticed for 6 months.