CVE-2026-33528

MEDIUM 6.5

GoDoxy has a Path Traversal Vulnerability in its File API

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

13th

GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = "config"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:"required"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue.

CWE	CWE-22
Vendor	yusing
Product	godoxy
Published	Mar 26, 2026
Last Updated	Mar 27, 2026

Stay Ahead of the Next One

Get instant alerts for yusing godoxy

Be the first to know when new medium vulnerabilities affecting yusing godoxy are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

yusing / godoxy

< 0.27.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v github.com: https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059 github.com: https://github.com/yusing/godoxy/releases/tag/v0.27.5