#VU127229 Path traversal in nginx-ui - CVE-2024-49366
Published: October 21, 2024 / Updated: April 23, 2026
Vulnerability identifier: #VU127229
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-49366
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
nginx-ui
nginx-ui
Software vendor:
Nginx UI
Nginx UI
Description
The vulnerability allows a remote user to write arbitrary files.
The vulnerability exists due to path traversal in internal/nginx/config_args.go GetConfPath() when handling user-supplied json.name values in site and stream management requests. A remote user can send a specially crafted request to write arbitrary files.
The issue can also be exploited through duplicate and copy operations, and nginx configuration content is controllable because the application does not check the nginx configuration file by default.
Remediation
Install security update from vendor's website.