Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to remote code execution due to path traversal and writing into scheduled tasks. Version 8.2.6.4 fixes the issue.
Published: 2026-04-24
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The haproxy_section_save interface in Roxy-WI allows an authenticated user to craft a request that performs a path traversal and writes an arbitrary file into the scheduled tasks directory. This flaw can be used to drop a web shell or modify system startup scripts, leading to remote code execution on the host. The weakness is a classic path traversal (CWE-22).

Affected Systems

Vendor roxy-wi, product roxy-wi. Versions prior to 8.2.6.4, specifically any instance of Roxy‑WI 8.2.6.3 or earlier, are vulnerable. No older versions were explicitly identified as unaffected.

Risk and Exploitability

The CVSS score of 8.9 indicates high severity. The EPSS score is below 1 %, suggesting that exploitation is currently unlikely to be widespread, and the vulnerability is not listed in CISA’s KEV catalog. The attack can be executed remotely by sending a specially crafted HTTP request to the haproxy_section_save endpoint, assuming the attacker has valid authentication credentials or can otherwise obtain them. Successful exploitation allows the attacker to write files to arbitrary locations within the application’s filesystem, which can be leveraged for remote code execution.

Generated by OpenCVE AI on April 28, 2026 at 07:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Roxy-WI 8.2.6.4 or later, which removes the vulnerable path handling.
  • Restrict network access to the Roxy‑WI management interface and enforce strong authentication to limit who can hit the haproxy_section_save endpoint.
  • Monitor the system for unexpected file creations or modifications in the scheduled‑tasks directory and set file‑system permissions to deny write access to non‑privileged users.

Generated by OpenCVE AI on April 28, 2026 at 07:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
CPEs cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*
Vendors & Products Roxy-wi
Roxy-wi roxy-wi
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to remote code execution due to path traversal and writing into scheduled tasks. Version 8.2.6.4 fixes the issue.
Title Roxy-WI vulnerable to path traversal and arbitrary file writing
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T18:18:11.424Z

Reserved: 2026-03-17T19:27:06.344Z

Link: CVE-2026-33076

cve-icon Vulnrichment

Updated: 2026-04-24T17:10:48.715Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T03:16:10.227

Modified: 2026-04-27T15:03:04.630

Link: CVE-2026-33076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:15:19Z

Weaknesses