← voltar
CVE-2026-55477

Authenticated Arbitrary File Write via Database Import and Xray Log Path Manipulation

CVSS 7.2 HIGHEPSS 0.3%CWE-73
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 7.2EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
25 jun 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code execution and persistent access as the user running Xray (including root when Xray is running as root). This vulnerability is fixed in 3.3.1.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Produtos afetados
MHSanaei · 3x-ui

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/MHSanaei/3x-ui/security/advisories/GHSA-jm48-m3rr-9hgg