Plattform
go
Komponente
github.com/tobychui/zoraxy
Behoben in
3.3.3
3.3.2
CVE-2026-33529 describes a Remote Code Execution (RCE) vulnerability within the configuration import endpoint of Zoraxy, a Go application. An authenticated attacker can leverage a path traversal flaw to write arbitrary files outside the designated configuration directory, potentially leading to code execution by creating malicious plugins. This vulnerability affects versions prior to 3.3.2, and a patch has been released to address the issue.
The primary impact of CVE-2026-33529 is the potential for an attacker to achieve Remote Code Execution (RCE) on a system running a vulnerable Zoraxy instance. By crafting a malicious configuration import file containing path traversal sequences (e.g., conf/..././..././entrypoint.py), an authenticated user can bypass sanitization and write arbitrary files. This allows the attacker to upload and execute a plugin, effectively gaining control of the application and potentially the underlying server. The blast radius extends to any data accessible by the Zoraxy application and any services it interacts with. While authentication is required, compromised user accounts could be exploited to trigger this vulnerability.
CVE-2026-33529 was publicly disclosed on March 25, 2026. The vulnerability's CVSS score is LOW (3.3). Currently, there are no known public proof-of-concept exploits. It is not listed on the CISA KEV catalog as of this writing. The vulnerability's reliance on authentication suggests a lower probability of widespread exploitation compared to vulnerabilities that are easily exploitable without credentials.
Organizations utilizing Zoraxy for configuration management, particularly those with custom plugins or integrations, are at risk. Shared hosting environments where multiple users have authenticated access to the Zoraxy instance are also particularly vulnerable, as a compromised user account could be leveraged to exploit this vulnerability.
• linux / server:
find /opt/zoraxy/config -type f -name '*passwd*'• linux / server:
journalctl -u zoraxy -g "path traversal"• generic web:
curl -I http://your-zoraxy-instance/api/conf/import | grep -i 'content-type: multipart/form-data'disclosure
Exploit-Status
EPSS
0.05% (17% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33529 is to immediately upgrade Zoraxy to version 3.3.2 or later, which includes the fix for this path traversal vulnerability. If upgrading is not immediately feasible, consider implementing stricter input validation on the configuration import endpoint to prevent path traversal attempts. Web application firewalls (WAFs) configured to detect and block path traversal patterns can also provide a temporary layer of protection. Regularly review and audit user permissions to minimize the potential impact of a compromised account. After upgrading, confirm the fix by attempting a configuration import with a file containing path traversal sequences and verifying that the import fails with an appropriate error message.
Aktualisieren Sie Zoraxy auf Version 3.3.2 oder höher. Diese Version behebt die (path traversal) Schwachstelle, die die Remote-Codeausführung ermöglicht. Das Update kann durchgeführt werden, indem die neue Version von dem offiziellen Repository heruntergeladen und die vorhandenen Dateien ersetzt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33529 is a Remote Code Execution vulnerability in Zoraxy versions prior to 3.3.2. An authenticated user can exploit path traversal during configuration import to write arbitrary files, potentially leading to RCE.
You are affected if you are running Zoraxy versions 3.3.1 or earlier and utilize the configuration import functionality. Upgrade to 3.3.2 or later to mitigate the risk.
Upgrade Zoraxy to version 3.3.2 or later. As a temporary workaround, restrict write access to the configuration directory and implement strict input validation.
There is currently no evidence of active exploitation in the wild, but the potential for RCE remains a significant concern.
Refer to the Zoraxy project's official repository and release notes for the advisory and detailed information regarding the fix: [https://github.com/tobychui/zoraxy](https://github.com/tobychui/zoraxy)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.