Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/config/routes.py. The server_ip parameter, sourced from the URL path, is passed unsanitized through multiple function calls and ultimately interpolated into a SQL query string using Python string formatting, allowing attackers to execute arbitrary SQL commands. Version 8.2.6.4 fixes the issue.
Published: 2026-04-24
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

Roxy-WI, a web interface used to manage Haproxy, Nginx, Apache and Keepalived servers, suffers from a SQL injection flaw in the haproxy_section_save function. The server_ip parameter, taken from the URL path, is passed through without sanitization and ultimately interpolated into a SQL query via Python string formatting. This flaw is a classic injection weakness (CWE‑89) that allows an attacker to execute arbitrary SQL statements, potentially leading to unauthorized data access, data modification, or further privilege escalation through the database.

Affected Systems

The vulnerability affects all installed versions of Roxy‑WI that are older than version 8.2.6.4; the patch that removes the flaw is delivered in 8.2.6.4 and later releases.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.9, indicating high severity, but its EPSS score is listed as less than 1%, suggesting a low probability of exploitation in the wild. It is not currently catalogued in the CISA KEV list. Based on the description, the likely attack vector is through the web interface, requiring an authenticated session with sufficient privileges to access the haproxy_section_save endpoint. The low EPSS mitigates immediate risk, yet the potential for database compromise warrants prompt remediation.

Generated by OpenCVE AI on April 28, 2026 at 14:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Roxy‑WI to version 8.2.6.4 or later, which removes the unsanitized server_ip parameter from the SQL query.
  • Ensure that all URL parameters received by the Roxy‑WI application are validated and sanitized before use in any database operations.
  • Restrict access to the haproxy_section_save endpoint and similar configuration routes to administrators only, and monitor database logs for suspicious query activity.

Generated by OpenCVE AI on April 28, 2026 at 14:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
CPEs cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*
Vendors & Products Roxy-wi
Roxy-wi roxy-wi
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 24 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/config/routes.py. The server_ip parameter, sourced from the URL path, is passed unsanitized through multiple function calls and ultimately interpolated into a SQL query string using Python string formatting, allowing attackers to execute arbitrary SQL commands. Version 8.2.6.4 fixes the issue.
Title Roxy-WI has SQL Injection in haproxy_section_save Endpoint via Unsanitized server_ip Parameter
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T12:10:25.193Z

Reserved: 2026-03-17T19:27:06.345Z

Link: CVE-2026-33078

cve-icon Vulnrichment

Updated: 2026-04-24T12:10:08.223Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T03:16:10.657

Modified: 2026-04-27T15:10:14.757

Link: CVE-2026-33078

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:30:33Z

Weaknesses