Description
3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code execution and persistent access as the user running Xray (including root when Xray is running as root). This vulnerability is fixed in 3.3.1.
Published: 2026-06-25
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in 3X-UI's database import allows an authenticated administrator to modify Xray configuration entries stored in the database, which the system writes directly to disk. This results in an arbitrary file write that can be leveraged to inject malicious code, giving an attacker code execution rights on the host. The weakness is a classic example of CWE‑73, where unvalidated data from the database is used to form filesystem paths. The impact includes potential persistence as the user that owns the Xray process, and if Xray runs as root, the attacker can gain system‑level privileges.

Affected Systems

The affected product is 3x-ui developed by MHSanaei. All releases prior to version 3.3.1 are vulnerable; versions 3.3.1 and later contain the fix.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, but the lack of an available EPSS score makes the likelihood of exploitation uncertain. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker already has admin authentication to the 3X‑UI interface, after which they can use the import feature and negotiate a file write path to achieve code execution. Because the attack can be performed from the web control panel, it is a network‑based threat that requires no external service. Once exploited, the attacker can maintain persistence until system changes occur.

Generated by OpenCVE AI on June 25, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade 3x‑UI to version 3.3.1 or later to apply the vendor fix.
  • If an upgrade cannot be performed immediately, restrict database import capability or remove privileged administrator accounts to prevent the attack vector.
  • As a secondary measure, run Xray processes under a non‑root user to limit damage in case of any successful exploitation.

Generated by OpenCVE AI on June 25, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description 3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code execution and persistent access as the user running Xray (including root when Xray is running as root). This vulnerability is fixed in 3.3.1.
Title Authenticated Arbitrary File Write via Database Import and Xray Log Path Manipulation
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T15:48:02.922Z

Reserved: 2026-06-16T22:10:37.609Z

Link: CVE-2026-55477

cve-icon Vulnrichment

Updated: 2026-06-25T15:47:57.973Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:45:03Z

Weaknesses
  • CWE-73

    External Control of File Name or Path