CVE-2026-33529

Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.

CVSS v3 3.3 LOW

3.3^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.7 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b	Patch
https://github.com/tobychui/zoraxy/releases/tag/v3.3.2	Release Notes
https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:zoraxy:zoraxy:*:*:*:*:*:*:*:*

History

02 Apr 2026, 18:13

Type	Values Removed	Values Added
References	~~() https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b -~~	() https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b - Patch
References	~~() https://github.com/tobychui/zoraxy/releases/tag/v3.3.2 -~~	() https://github.com/tobychui/zoraxy/releases/tag/v3.3.2 - Release Notes
References	~~() https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9 -~~	() https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9 - Exploit, Vendor Advisory
CPE		cpe:2.3:a:zoraxy:zoraxy::::::::
First Time		Zoraxy Zoraxy zoraxy

30 Mar 2026, 13:26

Type	Values Removed	Values Added
Summary		(es) Zoraxy es una herramienta de proxy inverso HTTP y reenvío de propósito general. Antes de la versión 3.3.2, una vulnerabilidad de salto de ruta autenticado en el endpoint de importación de configuración permite a un usuario autenticado escribir archivos arbitrarios fuera del directorio de configuración, lo que puede llevar a RCE mediante la creación de un plugin. La versión 3.3.2 corrige el problema.

26 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-26 20:16

Updated : 2026-04-02 18:13

NVD link : CVE-2026-33529

Mitre link : CVE-2026-33529

CVE.ORG link : CVE-2026-33529

JSON object : View

Products Affected

zoraxy

zoraxy

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

3.3 /10