CVE-2026-33529 PUBLISHED

Zoraxy: Authenticated Path Traversal in Config Import leads to RCE

Assigner: GitHub_M
Reserved: 20.03.2026 Published: 26.03.2026 Updated: 26.03.2026

Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
CVSS Score: 3.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	High	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	tobychui
Product	zoraxy
Versions	Version < 3.3.2 is affected

References

https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9
https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b
https://github.com/tobychui/zoraxy/releases/tag/v3.3.2

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE