CVE-2026-33529 LOW

CVE-2026-33529: Zoraxy: Authenticated Path Traversal in Config Import leads to RCE

Vendor Tobychui
Product zoraxy
Weakness CWE-22 · Path traversal
Published March 26, 2026
Last update March 27, 2026

CVSS base score

3.3/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.

Key dates

02Disclosure timeline

March 26, 2026 CVE published
March 27, 2026 Record updated