Nixpkgs security tracker
Permalink
CVE-2026-33529
3.3 LOW
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): High (H)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): High (H)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
Zoraxy: Authenticated Path Traversal in Config Import leads to RCE
Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.
References
-
https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9 x_refsource_CONFIRM
-
https://github.com/tobychui/zoraxy/releases/tag/v3.3.2 x_refsource_MISC
Affected products
zoraxy
- ==< 3.3.2
Package maintainers
-
@luftmensch-luftmensch Valentino Bocchetti <valentinobocchetti59@gmail.com>