CVE-2026-33529: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in tobychui zoraxy
Zoraxy versions prior to 3. 3. 2 contain an authenticated path traversal vulnerability in the configuration import endpoint. This flaw allows an authenticated user to write arbitrary files outside the intended configuration directory. Exploiting this vulnerability can lead to remote code execution by creating a malicious plugin. The issue is fixed in version 3. 3. 2. The vulnerability has a low CVSS score of 3. 3 and requires high privileges and no user interaction for exploitation.
AI Analysis
Technical Summary
CVE-2026-33529 is a CWE-22 path traversal vulnerability in tobychui's Zoraxy HTTP reverse proxy and forwarding tool. Before version 3.3.2, an authenticated user could exploit the configuration import endpoint to write files outside the restricted config directory. This improper limitation of pathname allows potential remote code execution by placing a crafted plugin. The vulnerability has been addressed in version 3.3.2.
Potential Impact
An authenticated user with high privileges can write arbitrary files outside the configuration directory, potentially leading to remote code execution by creating a malicious plugin. The confidentiality and integrity of the system can be impacted, but availability is not affected. The CVSS score is low (3.3) due to the requirement for high privileges and no user interaction.
Mitigation Recommendations
Upgrade Zoraxy to version 3.3.2 or later, where this vulnerability is patched. No other mitigations are specified or required once the update is applied.
CVE-2026-33529: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in tobychui zoraxy
Description
Zoraxy versions prior to 3. 3. 2 contain an authenticated path traversal vulnerability in the configuration import endpoint. This flaw allows an authenticated user to write arbitrary files outside the intended configuration directory. Exploiting this vulnerability can lead to remote code execution by creating a malicious plugin. The issue is fixed in version 3. 3. 2. The vulnerability has a low CVSS score of 3. 3 and requires high privileges and no user interaction for exploitation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33529 is a CWE-22 path traversal vulnerability in tobychui's Zoraxy HTTP reverse proxy and forwarding tool. Before version 3.3.2, an authenticated user could exploit the configuration import endpoint to write files outside the restricted config directory. This improper limitation of pathname allows potential remote code execution by placing a crafted plugin. The vulnerability has been addressed in version 3.3.2.
Potential Impact
An authenticated user with high privileges can write arbitrary files outside the configuration directory, potentially leading to remote code execution by creating a malicious plugin. The confidentiality and integrity of the system can be impacted, but availability is not affected. The CVSS score is low (3.3) due to the requirement for high privileges and no user interaction.
Mitigation Recommendations
Upgrade Zoraxy to version 3.3.2 or later, where this vulnerability is patched. No other mitigations are specified or required once the update is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-20T18:05:11.830Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c58caf3c064ed76fc66ff7
Added to database: 3/26/2026, 7:44:47 PM
Last enriched: 4/3/2026, 1:35:40 PM
Last updated: 5/7/2026, 4:31:31 AM
Views: 72
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.