← volver
CVE-2026-55477

Authenticated Arbitrary File Write via Database Import and Xray Log Path Manipulation

CVSS 7.2 HIGHEPSS 0.3%CWE-73
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 7.2EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
25 jun 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code execution and persistent access as the user running Xray (including root when Xray is running as root). This vulnerability is fixed in 3.3.1.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Productos afectados
MHSanaei · 3x-ui

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/MHSanaei/3x-ui/security/advisories/GHSA-jm48-m3rr-9hgg