CVE-2026-33528

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33528

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33528.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33528

Aliases

Downstream

SUSE-SU-2026:1135-1

Related

SUSE-SU-2026:1135-1

Published

2026-03-26T19:24:50.452Z

Modified

2026-04-10T05:43:17.990766Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

GoDoxy has a Path Traversal Vulnerability in its File API

Details

GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Join(common.ConfigBasePath, filename) where ConfigBasePath = "config" (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (binding:"required"). An authenticated attacker can use ../ sequences to read or write files outside the intended config/ directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33528.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Git / github.com/yusing/godoxy

Affected ranges

Type

GIT

Repo

https://github.com/yusing/godoxy

Events

Introduced

Fixed

11e3a9231f23d365d4bd58c25d3c87ea8b04a151

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.27.5"
        }
    ]
}

Affected versions

0.*

0.1-stable

0.2-alpha

0.2.1

0.2.2

0.3

0.3.1

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.5.0

0.5.0-beta

0.5.0-beta2

0.5.0-beta3

0.5.0-rc1

0.5.0-rc2

0.5.0-rc3

0.5.0-rc4

0.5.0-rc5

0.5.0-rc6

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.5.6

0.5.7

0.5.8

0.6

0.6-rp1

0.6.1

0.6.2

0.6.4

0.6.4-1

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.7.7

0.8.0

0.8.1

0.9

0.9.1

0.9.2

0.9.3

0.9.4

0.9.4-1

0.9.5

0.9.6

0.9.7

0.9.8

v0.*

v0.10.0

v0.10.1

v0.10.2

v0.11.0

v0.11.1

v0.11.2

v0.11.2-1

v0.11.2-2

v0.11.3

v0.11.4

v0.11.5

v0.11.6

v0.11.6-buildfix

v0.11.7

v0.11.8

v0.11.9

v0.12.0

v0.12.1

v0.12.2

v0.12.3

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.13.4

v0.13.5

v0.13.6

v0.13.7

v0.13.8

v0.14.0

v0.14.1

v0.14.2

v0.15.0

v0.15.1

v0.15.3

v0.16.0

v0.16.0-pathfix

v0.16.1

v0.16.2

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.17.4

v0.17.5

v0.17.6

v0.18.0

v0.18.1

v0.18.2

v0.18.3

v0.18.4

v0.18.5

v0.18.6

v0.19.0

v0.19.1

v0.19.2

v0.20.0

v0.20.1

v0.20.10

v0.20.11

v0.20.12

v0.20.13

v0.20.14

v0.20.2

v0.20.3

v0.20.4

v0.20.5

v0.20.6

v0.20.7

v0.20.8

v0.20.9

v0.21.0

v0.21.1

v0.21.2

v0.21.3

v0.22.0

v0.22.1

v0.23.0

v0.23.1

v0.24.0

v0.24.1

v0.24.2

v0.24.3

v0.25.0

v0.25.1

v0.25.2

v0.25.3

v0.26.0

v0.27.0

v0.27.1

v0.27.2

v0.27.3

v0.27.4

v0.9.10

v0.9.8

v0.9.9

v0.9.9-1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33528.json"