Description
Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.
Published: 2026-03-26
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

An authenticated path traversal flaw in Zoraxy’s configuration import endpoint allows an attacker who can log in to write arbitrary files outside the intended configuration directory. By creating a malicious plugin file, the compromised system can execute arbitrary code on the host. The vulnerability is a classic directory traversal issue identified as CWE‑22.

Affected Systems

The flaw impacts all releases of Zoraxy by tobychui prior to version 3.3.2, including v3.3.1 and earlier builds. Service operators must verify whether their installations are running a vulnerable build and whether the configuration import interface is enabled.

Risk and Exploitability

The CVSS score is 3.3, indicating low severity, and the EPSS score is less than 1 %, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires an authenticated user who can access the configuration import endpoint; once the attacker can move the path to write outside the config directory, they can register a plugin that will be executed by the application. The likely attack vector is authenticated use of the configuration import feature, and while the chance of widespread attacks is currently low, the potential impact remains significant.

Generated by OpenCVE AI on April 2, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zoraxy to version 3.3.2 or later.

Generated by OpenCVE AI on April 2, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7pq3-326h-f8q9 Zoraxy: Authenticated Path Traversal in Config Import leads to RCE
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Zoraxy
Zoraxy zoraxy
CPEs cpe:2.3:a:zoraxy:zoraxy:*:*:*:*:*:*:*:*
Vendors & Products Zoraxy
Zoraxy zoraxy

Sat, 28 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Tobychui
Tobychui zoraxy
Vendors & Products Tobychui
Tobychui zoraxy

Thu, 26 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.
Title Zoraxy: Authenticated Path Traversal in Config Import leads to RCE
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Tobychui Zoraxy
Zoraxy Zoraxy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:48:28.328Z

Reserved: 2026-03-20T18:05:11.830Z

Link: CVE-2026-33529

cve-icon Vulnrichment

Updated: 2026-03-27T19:48:24.418Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T20:16:15.070

Modified: 2026-04-02T18:13:03.553

Link: CVE-2026-33529

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:52Z

Weaknesses