A vulnerability that could have permitted an attacker to coin infinite Zcash (ZEC) has been patched and disclosed by the company behind the coin, according to the post, The counterfeiting vulnerability was fixed by the Sapling network upgrade that activated on October 28th, 2018. The vulnerability was specific to counterfeiting and did not affect user privacy in any way. Prior to its remediation, an attacker could have created fake Zcash without being detected. The counterfeiting vulnerability has been fully remediated in Zcash and no action is required by Zcash users.
The counterfeiting vulnerability was discovered by a cryptographer employed by the Zerocoin Electric Coin Company (aka The Zcash Company) on March 1st, 2018. It was not reported publicly at the time in order to protect against it being exploited prior to its remediation, and to provide information and remediated code to other projects that were also vulnerable.