CVE-2026-55477
HighCVSS 7.2Exploitation Probability (EPSS)
Low risk26th percentile — higher than 26% of all known CVEs
Summary
3X-UI is a control panel for managing Xray-core servers. Prior to version 3.3.1, an authenticated administrator could abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database.
Risk Assessment
Exploitation of this vulnerability could lead to code execution and persistent access as the user running Xray, including root when Xray is running with root privileges. This poses a significant security risk to the system.
Recommendation
It is recommended to upgrade to version 3.3.1 or later to mitigate this vulnerability. Additionally, monitoring administrator access and implementing restrictions on database import functionality is advised.
Original NVD description (English source)
3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code execution and persistent access as the user running Xray (including root when Xray is running as root). This vulnerability is fixed in 3.3.1.

