{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33528", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.830Z", "datePublished": "2026-03-26T19:24:50.452Z", "dateUpdated": "2026-03-27T13:57:45.401Z"}, "containers": {"cna": {"title": "GoDoxy has a Path Traversal Vulnerability in its File API", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v"}, {"name": "https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059", "tags": ["x_refsource_MISC"], "url": "https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059"}, {"name": "https://github.com/yusing/godoxy/releases/tag/v0.27.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/yusing/godoxy/releases/tag/v0.27.5"}], "affected": [{"vendor": "yusing", "product": "godoxy", "versions": [{"version": "< 0.27.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:24:50.452Z"}, "descriptions": [{"lang": "en", "value": "GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = \"config\"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:\"required\"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue."}], "source": {"advisory": "GHSA-4753-cmc8-8j9v", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:45:54.133084Z", "id": "CVE-2026-33528", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:57:45.401Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "GoDoxy has a Path Traversal Vulnerability in its File API", "source": {"advisory": "GHSA-4753-cmc8-8j9v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "yusing", "product": "godoxy", "versions": [{"status": "affected", "version": "< 0.27.5"}]}], "references": [{"url": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v", "name": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059", "name": "https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/yusing/godoxy/releases/tag/v0.27.5", "name": "https://github.com/yusing/godoxy/releases/tag/v0.27.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = \"config\"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:\"required\"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:24:50.452Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33528", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T13:45:54.133084Z"}}}], "references": [{"url": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-27T13:45:48.406Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33528", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:24:50.452Z", "dateReserved": "2026-03-20T18:05:11.830Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T19:24:50.452Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = \"config\"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:\"required\"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue."}, {"lang": "es", "value": "GoDoxy es un proxy inverso y orquestador de contenedores para autoalojadores. Antes de la versi\u00f3n 0.27.5, el endpoint de la API de contenido de archivos en '/api/v1/file/content' es vulnerable a salto de ruta. El par\u00e1metro de consulta 'filename' se pasa directamente a 'path.Join(common.ConfigBasePath, filename)' donde 'ConfigBasePath = \"config\"' (una ruta relativa). No se aplica ninguna sanitizaci\u00f3n ni validaci\u00f3n m\u00e1s all\u00e1 de verificar que el campo no est\u00e9 vac\u00edo ('binding:\"required\"'). Un atacante autenticado puede usar secuencias '../' para leer o escribir archivos fuera del directorio 'config/' previsto, incluyendo claves privadas TLS, tokens de actualizaci\u00f3n de OAuth y cualquier archivo accesible al UID del contenedor. La versi\u00f3n 0.27.5 soluciona el problema."}], "id": "CVE-2026-33528", "lastModified": "2026-03-27T15:16:55.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-26T20:16:14.913", "references": [{"source": "[email protected]", "url": "https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059"}, {"source": "[email protected]", "url": "https://github.com/yusing/godoxy/releases/tag/v0.27.5"}, {"source": "[email protected]", "url": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "[email protected]", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.27.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "godoxy", "source": "cna", "vendor": "yusing"}, "product": "godoxy", "vendor": "yusing"}], "analysis": {"en": {"generated_at": "2026-03-26T20:21:23.471615+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch by upgrading to GoDoxy version 0.27.5 or later.", "If an upgrade is not immediately possible, restrict access to the \"/api/v1/file/content\" endpoint by enforcing strict authentication and authorization checks, ensuring only trusted users can call the API.", "Implement network segmentation or firewall rules to limit external reach to the GoDoxy service, reducing the exposure window for potential attackers."], "summary": {"action": "Patch Immediately", "impact": "Sensitive File Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all releases of GoDoxy before version 0.27.5. The affected API is available to authenticated users of the application, which is typically run by self\u2011hosters managing multiple containers. An attacker who can authenticate to the GoDoxy instance can exploit the traversal to target files on the host or within the container filesystem. Version 0.27.5 and later contain a fix that sanitizes the filename input.", "description_and_impact": "GoDoxy, a reverse proxy and container orchestrator for self\u2011hosted environments, has an authentication\u2011required path traversal flaw in its file content API. The endpoint \"/api/v1/file/content\" accepts a filename parameter that is concatenated directly with the server\u2019s configuration base path without sanitization, allowing an attacker to specify paths such as \"../\" or \"../../\". This permits reading or writing arbitrary files located outside the intended config directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container\u2019s UID. The effect is a breach of confidentiality and potential alteration of integrity for critical configuration data.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a medium severity flaw. No EPSS value is published, but the issue is not listed in CISA's KEV catalog, suggesting it has not yet been widely exploited in the wild. The exploit requires successful authentication to the GoDoxy API; once authenticated, the attacker can construct a payload with traversal sequences to access sensitive files. The lack of host\u2011level isolation means that compromised credentials could lead to full configuration compromise and potential service disruption."}}}}, "created": "2026-03-27T08:33:10.880697+00:00", "updated": "2026-03-27T09:25:30.897368+00:00", "vendors": ["yusing", "yusing$PRODUCT$godoxy"]}