cbcvebase.
CVE-2026-33529
published 2026-03-26

CVE-2026-33529: Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.43%
34.7th percentile
Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
github.comtobychui_zoraxy>= 0 < 3.3.23.3.2
github.comtobychui_zoraxy>= 0 < 3.3.2+incompatible3.3.2+incompatible
tobychuizoraxy< 3.3.23.3.2
zoraxyzoraxy< 3.3.23.3.2

Detection & IOCsextracted from sources · hover to see the quote

  • Authenticated path traversal vulnerability in the configuration import endpoint of Zoraxy (prior to v3.3.2) allows writing arbitrary files outside the config directory, potentially leading to RCE via plugin creation. Monitor for suspicious file writes outside the expected config directory originating from the config import endpoint.
  • ·Exploitation requires authentication; this is not an unauthenticated vulnerability. An attacker must have valid credentials to the Zoraxy instance before exploiting the path traversal on the configuration import endpoint.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.