CVE-2026-33529
published 2026-03-26CVE-2026-33529: Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.43%
34.7th percentile
Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | tobychui_zoraxy | >= 0 < 3.3.2 | 3.3.2 |
| github.com | tobychui_zoraxy | >= 0 < 3.3.2+incompatible | 3.3.2+incompatible |
| tobychui | zoraxy | < 3.3.2 | 3.3.2 |
| zoraxy | zoraxy | < 3.3.2 | 3.3.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Authenticated path traversal vulnerability in the configuration import endpoint of Zoraxy (prior to v3.3.2) allows writing arbitrary files outside the config directory, potentially leading to RCE via plugin creation. Monitor for suspicious file writes outside the expected config directory originating from the config import endpoint. ↗
- ·Exploitation requires authentication; this is not an unauthenticated vulnerability. An attacker must have valid credentials to the Zoraxy instance before exploiting the path traversal on the configuration import endpoint. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Zoraxy: Authenticated Path Traversal in Config Import leads to RCE in github.com/tobychui/zoraxy
osv·2026-03-26
CVE-2026-33529 Zoraxy: Authenticated Path Traversal in Config Import leads to RCE in github.com/tobychui/zoraxy
Zoraxy: Authenticated Path Traversal in Config Import leads to RCE in github.com/tobychui/zoraxy
Zoraxy: Authenticated Path Traversal in Config Import leads to RCE in github.com/tobychui/zoraxy
GHSA
Zoraxy: Authenticated Path Traversal in Config Import leads to RCE
ghsa·2026-03-25
CVE-2026-33529 [LOW] CWE-22 Zoraxy: Authenticated Path Traversal in Config Import leads to RCE
Zoraxy: Authenticated Path Traversal in Config Import leads to RCE
# Authenticated Path Traversal to RCE via Configuration Import
## Summary
An authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin.
## Details
The vulnerable endpoint is `POST /api/conf/import`.
The zip entry names sanitization is bypassed by embedding `../` inside a longer sequence so the replacement produces a new `../`:
```
conf/..././..././entrypoint.py
→ ReplaceAll("../", "") (match found at index 1 of "..././", leaving "../")
→ conf/../../entrypoint.py ← passes HasPrefix check, escapes conf/
```
Using this endpoint, a new plugin can be written (persistent) and
OSV
Zoraxy: Authenticated Path Traversal in Config Import leads to RCE
osv·2026-03-25
CVE-2026-33529 [LOW] Zoraxy: Authenticated Path Traversal in Config Import leads to RCE
Zoraxy: Authenticated Path Traversal in Config Import leads to RCE
# Authenticated Path Traversal to RCE via Configuration Import
## Summary
An authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin.
## Details
The vulnerable endpoint is `POST /api/conf/import`.
The zip entry names sanitization is bypassed by embedding `../` inside a longer sequence so the replacement produces a new `../`:
```
conf/..././..././entrypoint.py
→ ReplaceAll("../", "") (match found at index 1 of "..././", leaving "../")
→ conf/../../entrypoint.py ← passes HasPrefix check, escapes conf/
```
Using this endpoint, a new plugin can be written (persistent) and
No detection rules found.
No public exploits indexed.
2026-03-26
Published