Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Network-reachable panel feature (AV:N/AC:L) but requires an authenticated admin (PR:H); arbitrary file write yields code execution with full C/I/A impact and no scope change.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code execution and persistent access as the user running Xray (including root when Xray is running as root). This vulnerability is fixed in 3.3.1.
AnalysisAI
Arbitrary file write in 3X-UI, a web control panel for managing Xray-core proxy servers, allows an authenticated administrator to write attacker-controlled files anywhere on the host by tampering with Xray configuration values through the database import feature in versions prior to 3.3.1. Because the written files execute in the context of the Xray process - frequently root in self-hosted deployments - this escalates to full code execution and persistent host compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated 3X-UI administrator session (CVSS PR:H) and access to the panel's database import functionality; the attacker abuses Xray configuration values stored in the database to direct an arbitrary file write on the host. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.2 (High) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - network-reachable and low-complexity, but gated by PR:H, i.e. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained 3X-UI administrator access - for example by phishing or reusing leaked credentials against an internet-exposed panel - crafts a malicious database export that embeds Xray configuration values pointing a file write to a sensitive host path such as a cron directory, an SSH authorized_keys file, or a service startup script. Using the panel's database import functionality, they trigger the write and obtain code execution as the Xray user (root where Xray runs as root), establishing persistent access. … |
| Remediation | Upgrade to 3X-UI 3.3.1, which contains the fix, per the vendor advisory at https://github.com/MHSanaei/3x-ui/security/advisories/GHSA-jm48-m3rr-9hgg (vendor-released patch: 3.3.1). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all 3X-UI deployments and identify versions currently in use. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-73 – External Control of File Name or Path
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39432