Low severity3.3NVD Advisory· Published Mar 26, 2026· Updated Apr 2, 2026
CVE-2026-33529
CVE-2026-33529
Description
Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/tobychui/zoraxyGo | < 3.3.2 | 3.3.2 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/tobychui/zoraxypkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 3.3.2+ 1 more
- (no CPE)range: < 3.3.2
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
Patches
Vulnerability mechanics
References
5- github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40bnvdPatchWEB
- github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-7pq3-326h-f8q9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33529ghsaADVISORY
- github.com/tobychui/zoraxy/releases/tag/v3.3.2nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.