Arbitrary File Write Vulnerability in 3X-UI Web Control Panel by MHSanaei
CVE-2026-55477

7.2HIGH

Key Information:

Vendor: Mhsanaei
Status: 3x-ui
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-55477?

Prior to version 3.3.1, 3X-UI, a web control panel designed for managing Xray-core servers, is susceptible to an arbitrary file write vulnerability. This vulnerability arises when an authenticated administrator manipulates the database import functionality, allowing them to alter Xray configuration values stored in the database. By exploiting this flaw, an attacker can achieve code execution and gain persistent access to the host, potentially running commands with the privileges of the user operating Xray, including root access if Xray is executed as root. This significant security concern was addressed in version 3.3.1.

Affected Version(s)

3x-ui < 3.3.1

References

https://github.com/MHSanaei/3x-ui/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 16, 2026

CVE-2026-55477 Data

JSON

Mhsanaei

What is CVE-2026-55477?

Affected Version(s)

References

CVSS V3.1

Timeline