Is github.com/tobychui/zoraxy affected by CVE-2026-33529?

Go github.com/tobychui/zoraxy is affected in <3.3.2+incompatible.

Is CVE-2026-33529 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

medium

CVE-2026-33529

Q: Is CVE-2026-33529 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

Go · github.com/tobychui/zoraxy

Summary

Zoraxy: Authenticated Path Traversal in Config Import leads to RCE in github.com/tobychui/zoraxy

Severity: medium
EPSS: 0.4% (p35)
Also known as: GHSA-7pq3-326h-f8q9, GO-2026-4844
Published: 2026-03-26

References

https://github.com/tobychui/zoraxy/security/advisories/GHSA-7pq3-326h-f8q9
https://github.com/tobychui/zoraxy/commit/69ac755aeec5d15ba4c62099f7f1ed77a855b40b
https://github.com/tobychui/zoraxy/releases/tag/v3.3.2

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.