CVE-2026-33529

Name of the Vulnerable Software and Affected Versions Zoraxy versions prior to 3.3.2

Description Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. A path traversal vulnerability exists in the configuration import endpoint (/api/conf/import) when handling zip file entries. An authenticated user can exploit this to write arbitrary files outside the intended configuration directory. This can lead to Remote Code Execution (RCE) by creating a malicious plugin. The vulnerability is triggered by embedding "../" within a longer sequence to bypass sanitization checks during zip file processing. Specifically, the zip entry names sanitization is bypassed by embedding ../ inside a longer sequence so the replacement produces a new ../. The vulnerable endpoint is POST /api/conf/import. The username and password are used for authentication. The vulnerability allows for the creation of a new plugin and modification of the entrypoint to add execution permissions to the plugin.

Recommendations Versions prior to 3.3.2 should be updated to version 3.3.2 or later.