CVE-2026-33529 — LOW (3.3) — White Hats Nepal

Q: How severe is CVE-2026-33529?

CVE-2026-33529 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-33529?

Check the references section above for vendor advisories and patch information. Affected products include: Zoraxy Zoraxy.

Vulnerability Description

Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin. Version 3.3.2 patches the issue.

CVSS Score

3.3

LOW

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Zoraxy	Zoraxy	< 3.3.2

Related Weaknesses (CWE)

CWE-22

References

https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b4Patch
https://github.com/tobychui/zoraxy/releases/tag/v3.3.2Release Notes
https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9ExploitVendor Advisory

FAQ

What is CVE-2026-33529?

CVE-2026-33529 is a vulnerability with a CVSS score of 3.3 (LOW). Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. Prior to version 3.3.2, an authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated u...

How severe is CVE-2026-33529?

CVE-2026-33529 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-33529?

Check the references section above for vendor advisories and patch information. Affected products include: Zoraxy Zoraxy.