CVE-2026-33528: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in yusing godoxy
CVE-2026-33528 is a path traversal vulnerability in yusing godoxy versions prior to 0. 27. 5. The vulnerability exists in the file content API endpoint at /api/v1/file/content, where the filename parameter is not properly sanitized. An authenticated attacker can exploit this to read or write files outside the intended config directory, potentially accessing sensitive files such as TLS private keys and OAuth tokens. The issue is fixed in version 0. 27. 5.
AI Analysis
Technical Summary
GoDoxy is a reverse proxy and container orchestrator. In versions before 0.27.5, the /api/v1/file/content endpoint accepts a filename query parameter that is concatenated with a relative base path ('config') using path.Join without proper sanitization. This allows an authenticated user to use '../' sequences to traverse directories and access or modify files outside the intended directory. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The CVSS 3.1 score is 6.5 (medium severity) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, indicating network attack vector, low complexity, high privileges required, no user interaction, unchanged scope, and high confidentiality and integrity impact but no availability impact. Version 0.27.5 addresses this issue.
Potential Impact
An authenticated attacker with high privileges can exploit this vulnerability to read or write arbitrary files accessible to the container's user ID. This includes sensitive configuration files such as TLS private keys and OAuth refresh tokens, potentially leading to credential compromise and further system access. There is no direct impact on availability.
Mitigation Recommendations
Upgrade to version 0.27.5 or later, where this path traversal vulnerability is fixed. Since this is an application-level vulnerability, patching the software is the recommended and effective mitigation. No other vendor advisory or temporary fixes are indicated.
CVE-2026-33528: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in yusing godoxy
Description
CVE-2026-33528 is a path traversal vulnerability in yusing godoxy versions prior to 0. 27. 5. The vulnerability exists in the file content API endpoint at /api/v1/file/content, where the filename parameter is not properly sanitized. An authenticated attacker can exploit this to read or write files outside the intended config directory, potentially accessing sensitive files such as TLS private keys and OAuth tokens. The issue is fixed in version 0. 27. 5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
GoDoxy is a reverse proxy and container orchestrator. In versions before 0.27.5, the /api/v1/file/content endpoint accepts a filename query parameter that is concatenated with a relative base path ('config') using path.Join without proper sanitization. This allows an authenticated user to use '../' sequences to traverse directories and access or modify files outside the intended directory. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The CVSS 3.1 score is 6.5 (medium severity) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, indicating network attack vector, low complexity, high privileges required, no user interaction, unchanged scope, and high confidentiality and integrity impact but no availability impact. Version 0.27.5 addresses this issue.
Potential Impact
An authenticated attacker with high privileges can exploit this vulnerability to read or write arbitrary files accessible to the container's user ID. This includes sensitive configuration files such as TLS private keys and OAuth refresh tokens, potentially leading to credential compromise and further system access. There is no direct impact on availability.
Mitigation Recommendations
Upgrade to version 0.27.5 or later, where this path traversal vulnerability is fixed. Since this is an application-level vulnerability, patching the software is the recommended and effective mitigation. No other vendor advisory or temporary fixes are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-20T18:05:11.830Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c58caf3c064ed76fc66ff2
Added to database: 3/26/2026, 7:44:47 PM
Last enriched: 4/3/2026, 1:41:55 PM
Last updated: 5/8/2026, 9:06:10 PM
Views: 60
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.