Skip to main content

3X-UI EUVDEUVD-2026-39432

| CVE-2026-55477 HIGH
External Control of File Name or Path (CWE-73)
2026-06-25 GitHub_M
7.2
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Network-reachable panel feature (AV:N/AC:L) but requires an authenticated admin (PR:H); arbitrary file write yields code execution with full C/I/A impact and no scope change.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 17:02 EUVD
Analysis Generated
Jun 25, 2026 - 16:21 vuln.today

DescriptionCVE.org

3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code execution and persistent access as the user running Xray (including root when Xray is running as root). This vulnerability is fixed in 3.3.1.

AnalysisAI

Arbitrary file write in 3X-UI, a web control panel for managing Xray-core proxy servers, allows an authenticated administrator to write attacker-controlled files anywhere on the host by tampering with Xray configuration values through the database import feature in versions prior to 3.3.1. Because the written files execute in the context of the Xray process - frequently root in self-hosted deployments - this escalates to full code execution and persistent host compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain admin credentials for 3X-UI panel
Delivery
Authenticate to web control panel
Exploit
Craft malicious database export with Xray config paths
Install
Trigger database import to write file
C2
Place payload in privileged path
Execute
Achieve code execution as Xray user
Impact
Establish persistent root access

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated 3X-UI administrator session (CVSS PR:H) and access to the panel's database import functionality; the attacker abuses Xray configuration values stored in the database to direct an arbitrary file write on the host. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.2 (High) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - network-reachable and low-complexity, but gated by PR:H, i.e. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained 3X-UI administrator access - for example by phishing or reusing leaked credentials against an internet-exposed panel - crafts a malicious database export that embeds Xray configuration values pointing a file write to a sensitive host path such as a cron directory, an SSH authorized_keys file, or a service startup script. Using the panel's database import functionality, they trigger the write and obtain code execution as the Xray user (root where Xray runs as root), establishing persistent access. …
Remediation Upgrade to 3X-UI 3.3.1, which contains the fix, per the vendor advisory at https://github.com/MHSanaei/3x-ui/security/advisories/GHSA-jm48-m3rr-9hgg (vendor-released patch: 3.3.1). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all 3X-UI deployments and identify versions currently in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39432 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy