6.5

CVE-2026-33528

Exploit

GoDoxy has a Path Traversal Vulnerability in its File API

GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = "config"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:"required"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GodoxyGodoxy SwPlatformgo Version < 0.27.5
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.5% 0.388
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 6.5 1.2 5.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v
Vendor Advisory
Exploit
Mitigation
https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059
Patch
https://github.com/yusing/godoxy/releases/tag/v0.27.5
Product
Release Notes