{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33529", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T18:05:11.830Z", "datePublished": "2026-03-26T19:26:32.646Z", "dateUpdated": "2026-03-27T19:48:28.328Z"}, "containers": {"cna": {"title": "Zoraxy: Authenticated Path Traversal in Config Import leads to RCE", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9"}, {"name": "https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b", "tags": ["x_refsource_MISC"], "url": "https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b"}, {"name": "https://github.com/tobychui/zoraxy/releases/tag/v3.3.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/tobychui/zoraxy/releases/tag/v3.3.2"}], "affected": [{"vendor": "tobychui", "product": "zoraxy", "versions": [{"version": "< 3.3.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:26:32.646Z"}, "descriptions": [{"lang": "en", "value": "Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue."}], "source": {"advisory": "GHSA-7pq3-326h-f8q9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T19:48:19.703448Z", "id": "CVE-2026-33529", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:48:28.328Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Zoraxy: Authenticated Path Traversal in Config Import leads to RCE", "source": {"advisory": "GHSA-7pq3-326h-f8q9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "tobychui", "product": "zoraxy", "versions": [{"status": "affected", "version": "< 3.3.2"}]}], "references": [{"url": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9", "name": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b", "name": "https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/tobychui/zoraxy/releases/tag/v3.3.2", "name": "https://github.com/tobychui/zoraxy/releases/tag/v3.3.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T19:26:32.646Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33529", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T19:48:19.703448Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-27T19:48:24.418Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33529", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:26:32.646Z", "dateReserved": "2026-03-20T18:05:11.830Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T19:26:32.646Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue."}], "id": "CVE-2026-33529", "lastModified": "2026-03-26T20:16:15.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 2.5, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-26T20:16:15.070", "references": [{"source": "[email protected]", "url": "https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b"}, {"source": "[email protected]", "url": "https://github.com/tobychui/zoraxy/releases/tag/v3.3.2"}, {"source": "[email protected]", "url": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "zoraxy", "source": "cna", "vendor": "tobychui"}, "product": "zoraxy", "vendor": "tobychui"}], "analysis": {"en": {"generated_at": "2026-03-26T20:21:09.197225+00:00", "value": {"mitigation_remediation": ["Upgrade Zoraxy to version 3.3.2 or later to eliminate the path traversal flaw."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Zoraxy, developed by tobychui. Versions prior to 3.3.2 are vulnerable, as the patch in release 3.3.2 eliminates the path traversal flaw. No additional vendor or product information is available.", "description_and_impact": "Zoraxy, a general purpose HTTP reverse proxy and forwarding tool, contains an authenticated path traversal vulnerability in its configuration import endpoint that allows a logged\u2011in user to write files outside the intended configuration directory. By creating an unauthorized plugin file in a writable directory, an attacker can execute arbitrary code on the host. This weakness is identified as CWE\u201122. The vulnerability is documented in the official CVE description and has an associated CVSS score of 3.3.", "risk_and_exploitability": "With a CVSS score of 3.3 the CVE is rated low severity; however, because it requires authentication, the threat is mitigated to privileged users only. The EPSS score is not published, and the vulnerability is not listed in the KEV catalog, indicating no known widespread exploitation. The risk remains significant for environments where internal users are trusted and have access to the configuration import functionality. Regular patching is advised to fully close the attack surface."}}}}, "created": "2026-03-27T08:33:09.995700+00:00", "updated": "2026-03-27T09:25:29.983107+00:00", "vendors": ["tobychui", "tobychui$PRODUCT$zoraxy"]}