CVE-2026-33529

Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.

CVSS v3 3.3 LOW

3.3^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.7 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b
https://github.com/tobychui/zoraxy/releases/tag/v3.3.2
https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-26 20:16

Updated : 2026-03-30 13:26

NVD link : CVE-2026-33529

Mitre link : CVE-2026-33529

CVE.ORG link : CVE-2026-33529

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

3.3 /10