CVE-2026-33529

low-risk

Published 2026-03-26

Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.

Do I need to act?

0.06% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.3/10 Low

NETWORK / HIGH complexity

Affected Products (1)

Zoraxy

Affected Vendors

Zoraxy

References (3)

Patch https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b4...

Release Notes https://github.com/tobychui/zoraxy/releases/tag/v3.3.2

Exploit https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9

/ 100

low-risk

Severity 12/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal