Description

GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at `/api/v1/file/content` is vulnerable to path traversal. The `filename` query parameter is passed directly to `path.Join(common.ConfigBasePath, filename)` where `ConfigBasePath = "config"` (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (`binding:"required"`). An authenticated attacker can use `../` sequences to read or write files outside the intended `config/` directory, including TLS private keys, OAuth refresh tokens, and any file accessible to the container's UID. Version 0.27.5 fixes the issue.

INFO

Published Date :

2026-03-26T19:24:50.452Z

Last Modified :

2026-03-27T13:57:45.401Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33528 vulnerability.

Vendors Products
Yusing
  • Godoxy
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33528.

URL Resource
https://github.com/yusing/godoxy/commit/a541d75bb50f1b542c096d8bc8082c3549f5c059 cve-icon cve-icon
https://github.com/yusing/godoxy/releases/tag/v0.27.5 cve-icon cve-icon
https://github.com/yusing/godoxy/security/advisories/GHSA-4753-cmc8-8j9v cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact