Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue.
Published: 2026-03-17
Score: 8.8 High
EPSS: 1.0% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a command injection in the /config/compare/<service>/<server_ip>/show endpoint of Roxy‑WI, allowing an authenticated user to execute arbitrary system commands on the host. This leads to complete compromise of the underlying server, granting attackers full control over the system. The flaw is due to direct formatting of user input into a template string, which is then executed. The weakness corresponds to CWE‑77 (Command Injection) and CWE‑78 (OS Command Injection).

Affected Systems

Roxy‑WI, the web interface for managing HAProxy, Nginx, Apache and Keepalived servers, is affected in all releases prior to version 8.2.6.3. Users running any earlier version of the software are vulnerable.

Risk and Exploitability

The CVSS base score is 8.8, indicating high severity. The EPSS score is below 1%, suggesting a relatively low probability of exploitation at the current time, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires valid user credentials to access the application and the /config/compare endpoint, so attackers must first authenticate. Once authenticated, they can supply a specially crafted diff parameter to execute arbitrary commands. Because the flaw resides in the server side code, it can affect the entire host, providing a high impact if exploited.

Generated by OpenCVE AI on March 19, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Roxy‑WI to version 8.2.6.3 or later.
  • Verify that authentication mechanisms are properly configured to limit access to trusted users.

Generated by OpenCVE AI on March 19, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
Vendors & Products Roxy-wi
Roxy-wi roxy-wi

Wed, 18 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue.
Title Roxy-WI has a Command Injection via diff parameter in config comparison allows authenticated RCE
Weaknesses CWE-77
CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T19:53:19.520Z

Reserved: 2026-02-24T02:31:33.267Z

Link: CVE-2026-27811

cve-icon Vulnrichment

Updated: 2026-03-18T19:53:05.545Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T00:16:19.427

Modified: 2026-03-19T18:00:58.453

Link: CVE-2026-27811

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:18Z

Weaknesses