Advisories for Golang/Github.com/Tobychui/Zoraxy package

An authenticated path traversal vulnerability in the configuration import endpoint allows an authenticated user to write arbitrary files outside the config directory, which can lead to RCE by creating a plugin.

A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host.