CVE-2026-33529
- Source
- https://cve.org/CVERecord?id=CVE-2026-33529
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33529.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-33529
- Aliases
- Downstream
- Related
- Published
- 2026-03-26T19:26:32.646Z
- Modified
- 2026-04-10T05:42:49.566024Z
- Severity
-
- 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Zoraxy: Authenticated Path Traversal in Config Import leads to RCE
- Details
-
Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.
- Database specific
{ "cwe_ids": [ "CWE-22" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33529.json", "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33529.json
- https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b
- https://github.com/tobychui/zoraxy/releases/tag/v3.3.2
- https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9
- https://nvd.nist.gov/vuln/detail/CVE-2026-33529
Affected packages
Git / github.com/tobychui/zoraxy
Affected versions
2.*
2.1
2.2
2.3
2.4
2.5
2.6
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.1.0
3.1.1
3.1.1r2
v3.*
v3.1.1r3
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.5r2
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.0-rc3
v3.3.1
v3.3.1-rc1
v3.3.1-rc2
v3.3.1-rc3
v3.3.2-rc1
v3.3.2-rc2
v3.3.2-rc3
v3.3.2-rc4