Zoraxy: Authenticated Path Traversal in Config Import leads to RCE

3.3 / 10

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

Description

Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.

Basic Information

ID CVE-2026-33529

Source GitHub_M

Published Mar 26, 2026 at 19:26

Modified Mar 27, 2026 at 19:48

Affected Product

Vendor tobychui

Product zoraxy

Version < 3.3.2

Affected Versions tobychui zoraxy < 3.3.2

CWE Classification

CWE-22

References

{
    "lastseen": "",
    "description": "Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.",
    "published": "2026-03-26T19:26:32.646Z",
    "modified": "2026-03-27T19:48:28.328Z",
    "type": "cve",
    "title": "Zoraxy: Authenticated Path Traversal in Config Import leads to RCE",
    "source": "GitHub_M",
    "references": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9\nhttps://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b\nhttps://github.com/tobychui/zoraxy/releases/tag/v3.3.2",
    "id": "CVE-2026-33529",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "tobychui zoraxy < 3.3.2",
    "sourceHref": "",
    "cvss": {
        "score": 3.3,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "zoraxy",
    "version": "< 3.3.2",
    "vendor": "tobychui",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Zoraxy: Authenticated Path Traversal in Config Import leads to RCE_CVE-2026-33529