{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33529", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.830Z", "datePublished": "2026-03-26T19:26:32.646Z", "dateUpdated": "2026-03-27T19:48:28.328Z"}, "containers": {"cna": {"title": "Zoraxy: Authenticated Path Traversal in Config Import leads to RCE", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9"}, {"name": "https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b", "tags": ["x_refsource_MISC"], "url": "https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b"}, {"name": "https://github.com/tobychui/zoraxy/releases/tag/v3.3.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/tobychui/zoraxy/releases/tag/v3.3.2"}], "affected": [{"vendor": "tobychui", "product": "zoraxy", "versions": [{"version": "< 3.3.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:26:32.646Z"}, "descriptions": [{"lang": "en", "value": "Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue."}], "source": {"advisory": "GHSA-7pq3-326h-f8q9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T19:48:19.703448Z", "id": "CVE-2026-33529", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:48:28.328Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33529", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T19:48:19.703448Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:48:24.418Z"}}], "cna": {"title": "Zoraxy: Authenticated Path Traversal in Config Import leads to RCE", "source": {"advisory": "GHSA-7pq3-326h-f8q9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "tobychui", "product": "zoraxy", "versions": [{"status": "affected", "version": "< 3.3.2"}]}], "references": [{"url": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9", "name": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b", "name": "https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/tobychui/zoraxy/releases/tag/v3.3.2", "name": "https://github.com/tobychui/zoraxy/releases/tag/v3.3.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:26:32.646Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33529", "state": "PUBLISHED", "dateUpdated": "2026-03-27T19:48:28.328Z", "dateReserved": "2026-03-20T18:05:11.830Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T19:26:32.646Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zoraxy:zoraxy:*:*:*:*:*:*:*:*", "matchCriteriaId": "53E3D478-D37C-4CC6-96FF-381A55956C57", "versionEndExcluding": "3.3.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue."}, {"lang": "es", "value": "Zoraxy es una herramienta de proxy inverso HTTP y reenv\u00edo de prop\u00f3sito general. Antes de la versi\u00f3n 3.3.2, una vulnerabilidad de salto de ruta autenticado en el endpoint de importaci\u00f3n de configuraci\u00f3n permite a un usuario autenticado escribir archivos arbitrarios fuera del directorio de configuraci\u00f3n, lo que puede llevar a RCE mediante la creaci\u00f3n de un plugin. La versi\u00f3n 3.3.2 corrige el problema."}], "id": "CVE-2026-33529", "lastModified": "2026-04-02T18:13:03.553", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T20:16:15.070", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/tobychui/zoraxy/releases/tag/v3.3.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "zoraxy", "source": "cna", "vendor": "tobychui"}, "product": "zoraxy", "vendor": "tobychui"}], "analysis": {"en": {"generated_at": "2026-04-02T23:35:31.744606+00:00", "value": {"mitigation_remediation": ["Upgrade Zoraxy to version 3.3.2 or later."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw impacts all releases of Zoraxy by tobychui prior to version 3.3.2, including v3.3.1 and earlier builds. Service operators must verify whether their installations are running a vulnerable build and whether the configuration import interface is enabled.", "description_and_impact": "An authenticated path traversal flaw in Zoraxy\u2019s configuration import endpoint allows an attacker who can log in to write arbitrary files outside the intended configuration directory. By creating a malicious plugin file, the compromised system can execute arbitrary code on the host. The vulnerability is a classic directory traversal issue identified as CWE\u201122.", "risk_and_exploitability": "The CVSS score is 3.3, indicating low severity, and the EPSS score is less than 1\u202f%, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires an authenticated user who can access the configuration import endpoint; once the attacker can move the path to write outside the config directory, they can register a plugin that will be executed by the application. The likely attack vector is authenticated use of the configuration import feature, and while the chance of widespread attacks is currently low, the potential impact remains significant."}}}}, "created": "2026-03-27T08:33:09.995700+00:00", "updated": "2026-04-03T09:38:52.100549+00:00", "vendors": ["tobychui", "tobychui$PRODUCT$zoraxy"]}