Zero Day MonitorZDM

← Back to list

—

CVE-2026-33027EXPLOITEDPATCHED

go · github.com/0xjacky/nginx-ui

Nginx UI: Improper Path Validation Allows Recursive Deletion of the Nginx Configuration Directory

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory (/etc/nginx). In particular, this allows an authenticated user to remove the entire /etc/nginx directory, resulting in a partial Denial of Service. This issue has been patched in version 2.3.4.

Affected Products

Vendor	Product	Versions
go	github.com/0xjacky/nginx-ui	go/github.com/0xJacky/Nginx-UI: <= 1.99

References

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m8p8-53vf-8357(x_refsource_CONFIRM)
https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB3h ago

CVE-2026-33027 | 0xJacky nginx-ui up to 2.3.3 path traversal (GHSA-m8p8-53vf-8357)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available2.3.4

CWECWE-22, CWE-73

PublishedMar 30, 2026

Last enriched3h agov2

Tags

GHSA-m8p8-53vf-8357go

Trending Score61

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-33032EXP

Nginx UI: Unauthenticated MCP Endpoint Allows Remote Nginx Takeover

HIGHCVE-2026-33028EXP

Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse

CRITICALCVE-2026-34041EXP

act: Unrestricted set-env and add-path command processing enables environment injection

HIGHCVE-2026-33030

Nginx UI: Unencrypted Storage of DNS API Tokens and ACME Private Keys

MEDIUMCVE-2026-33029

Nginx UI: DoS via Negative Integer Input in Logrotate Interval

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 30, 2026

Discovered by ZDM

Mar 30, 2026

Actively Exploited

Mar 30, 2026

Patch Available

Mar 30, 2026

Updated: severity, activelyExploited, patchAvailable

Mar 30, 2026

Version History

v2

Last enriched 3h ago

v2Tier C3h ago

Updated severity to CRITICAL, marked as actively exploited, and specified patch available in version 2.3.4.

severityactivelyExploitedpatchAvailable

via VulDB

v16h ago

Initial creation