CVE-2026-33528

MEDIUM EPSS 39.1%
Published Mar 26, 20263mo ago · Modified Jun 17, 20262w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Mar 26, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = "config"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:"required"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue.

CVSS Details

Base Score
6.5
Exploitability
1.2
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
39.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 1

VendorProductVersionRange
godoxygodoxy* <0.27.5

References 3

  • github.com https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059
    Patch
  • github.com https://github.com/yusing/godoxy/releases/tag/v0.27.5
    ProductRelease Notes
  • github.com https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059
    Patch