CVE Catalog

CVE-2026-55477

HighCVSS 7.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

26th percentile — higher than 26% of all known CVEs

Summary

3X-UI is a control panel for managing Xray-core servers. Prior to version 3.3.1, an authenticated administrator could abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database.

Risk Assessment

Exploitation of this vulnerability could lead to code execution and persistent access as the user running Xray, including root when Xray is running with root privileges. This poses a significant security risk to the system.

Recommendation

It is recommended to upgrade to version 3.3.1 or later to mitigate this vulnerability. Additionally, monitoring administrator access and implementing restrictions on database import functionality is advised.

Original NVD description (English source)

3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code execution and persistent access as the user running Xray (including root when Xray is running as root). This vulnerability is fixed in 3.3.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS