CVE-2026-33529
Zoraxy: Authenticated Path Traversal in Config Import leads to RCE
CVSS Score
3.3
EPSS Score
0.0%
EPSS Percentile
12th
Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.
| CWE | CWE-22 |
| Vendor | tobychui |
| Product | zoraxy |
| Published | Mar 26, 2026 |
| Last Updated | Mar 27, 2026 |
Stay Ahead of the Next One
Get instant alerts for tobychui zoraxy
Be the first to know when new low vulnerabilities affecting tobychui zoraxy are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
tobychui / zoraxy
< 3.3.2