{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33528", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.830Z", "datePublished": "2026-03-26T19:24:50.452Z", "dateUpdated": "2026-03-27T13:57:45.401Z"}, "containers": {"cna": {"title": "GoDoxy has a Path Traversal Vulnerability in its File API", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v"}, {"name": "https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059", "tags": ["x_refsource_MISC"], "url": "https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059"}, {"name": "https://github.com/yusing/godoxy/releases/tag/v0.27.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/yusing/godoxy/releases/tag/v0.27.5"}], "affected": [{"vendor": "yusing", "product": "godoxy", "versions": [{"version": "< 0.27.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:24:50.452Z"}, "descriptions": [{"lang": "en", "value": "GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = \"config\"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:\"required\"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue."}], "source": {"advisory": "GHSA-4753-cmc8-8j9v", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:45:54.133084Z", "id": "CVE-2026-33528", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:57:45.401Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33528", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T13:45:54.133084Z"}}}], "references": [{"url": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:45:48.406Z"}}], "cna": {"title": "GoDoxy has a Path Traversal Vulnerability in its File API", "source": {"advisory": "GHSA-4753-cmc8-8j9v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "yusing", "product": "godoxy", "versions": [{"status": "affected", "version": "< 0.27.5"}]}], "references": [{"url": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v", "name": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059", "name": "https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/yusing/godoxy/releases/tag/v0.27.5", "name": "https://github.com/yusing/godoxy/releases/tag/v0.27.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = \"config\"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:\"required\"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:24:50.452Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33528", "state": "PUBLISHED", "dateUpdated": "2026-03-27T13:57:45.401Z", "dateReserved": "2026-03-20T18:05:11.830Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T19:24:50.452Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:godoxy:godoxy:*:*:*:*:*:go:*:*", "matchCriteriaId": "1505EC25-9DA1-4B84-A1B4-EA519A33AB71", "versionEndExcluding": "0.27.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = \"config\"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:\"required\"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue."}, {"lang": "es", "value": "GoDoxy es un proxy inverso y orquestador de contenedores para autoalojadores. Antes de la versi\u00f3n 0.27.5, el endpoint de la API de contenido de archivos en '/api/v1/file/content' es vulnerable a salto de ruta. El par\u00e1metro de consulta 'filename' se pasa directamente a 'path.Join(common.ConfigBasePath, filename)' donde 'ConfigBasePath = \"config\"' (una ruta relativa). No se aplica ninguna sanitizaci\u00f3n ni validaci\u00f3n m\u00e1s all\u00e1 de verificar que el campo no est\u00e9 vac\u00edo ('binding:\"required\"'). Un atacante autenticado puede usar secuencias '../' para leer o escribir archivos fuera del directorio 'config/' previsto, incluyendo claves privadas TLS, tokens de actualizaci\u00f3n de OAuth y cualquier archivo accesible al UID del contenedor. La versi\u00f3n 0.27.5 soluciona el problema."}], "id": "CVE-2026-33528", "lastModified": "2026-04-02T18:17:26.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T20:16:14.913", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/yusing/godoxy/releases/tag/v0.27.5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.27.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "godoxy", "source": "cna", "vendor": "yusing"}, "product": "godoxy", "vendor": "yusing"}], "analysis": {"en": {"generated_at": "2026-04-02T22:15:25.934886+00:00", "value": {"mitigation_remediation": ["Upgrade GoDoxy to version 0.27.5 or later to eliminate the path traversal vulnerability."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized file access"}, "threat_synthesis": {"affected_systems": "Affected product is GoDoxy, a reverse proxy and container orchestrator developed by yusing. Versions earlier than 0.27.5 are vulnerable. The vulnerability affects any installation exposing the API endpoint, regardless of deployment environment, as the flaw exists in the core file handling logic. Users running environments with the ConfigBasePath set to the relative \"config\" directory are included.", "description_and_impact": "The vulnerability is a path traversal flaw in the /api/v1/file/content endpoint where the filename parameter is concatenated to the config path without sanitization. An attacker who can authenticate to the service can craft filenames with ../ to read or create files outside the intended config directory, potentially accessing TLS private keys, OAuth tokens, or any file readable by the container. This can lead to disclosure of sensitive data, credential compromise, and full system takeover. The weakness corresponds to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).", "risk_and_exploitability": "The CVSS score is 6.5, indicating a medium severity. EPSS is below 1%, suggesting a low exploitation probability. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires valid authentication to the service, but once authenticated, the attacker can bypass confinement and access or modify arbitrary files within the container. Because the payload does not require privilege escalation prior to authentication, the risk to the entire host depends on the container's UID and privileges. The vulnerability is likely to be exploited through the exposed API endpoint over the network."}}}}, "created": "2026-03-27T08:33:10.880697+00:00", "updated": "2026-04-03T09:38:53.068729+00:00", "vendors": ["yusing", "yusing$PRODUCT$godoxy"]}