Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ < service > /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command string that is subsequently executed on a remote managed server via SSH. An authenticated attacker can inject arbitrary shell metacharacters to break out of the intended grep command context and execute arbitrary OS commands with sudo privileges on the target server, resulting in full Remote Code Execution (RCE). Version 8.2.6.4 patches the issue.
Published: 2026-04-24
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

Roxy-WI, a web interface for managing popular web and load balancer servers, contains an OS command injection flaw in the find-in-config endpoint. The vulnerability resides in the words parameter, which is concatenated into a shell command that is executed on a remote server via SSH. An attacker who has authenticated access can inject shell metacharacters to break out of the intended grep context and run arbitrary commands with sudo privileges, effectively compromising the target server and all services it hosts. The issue was identified as a CWE‑78 weakness.

Affected Systems

All Roxy-WI installations running a version older than 8.2.6.4 are affected. The flaw exists in the /config/<service>/find‑in‑config endpoint across the Roxy‑WI product. No specific configurations beyond authentication are required—any authenticated user who can invoke the endpoint can exploit the vulnerability.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.4, indicating a high severity. The EPSS score is less than 1%, suggesting a low probability of exploitation under current attack‑surface observations, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is local (authenticated) but results in remote code execution due to the privileged SSH session, presenting a serious risk if the administrator’s role is compromised or misused. Given the severity and the ease of exploitation once authentication is achieved, patching remains the most effective countermeasure.

Generated by OpenCVE AI on April 28, 2026 at 07:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Roxy-WI to version 8.2.6.4 or later to apply the vendor patch that sanitizes the words parameter.
  • Restrict or disable the /config/<service>/find‑in‑config endpoint unless absolutely required, limiting exposure to malicious input.
  • Ensure the SSH identity used by Roxy‑WI does not have unnecessary sudo privileges; restrict sudo rights to the minimal commands required for management tasks.

Generated by OpenCVE AI on April 28, 2026 at 07:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
CPEs cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*
Vendors & Products Roxy-wi
Roxy-wi roxy-wi
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 24 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ < service > /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command string that is subsequently executed on a remote managed server via SSH. An authenticated attacker can inject arbitrary shell metacharacters to break out of the intended grep command context and execute arbitrary OS commands with sudo privileges on the target server, resulting in full Remote Code Execution (RCE). Version 8.2.6.4 patches the issue.
Title Roxy-WI Vulnerable to Authenticated Remote Code Execution via OS Command Injection in find-in-config Endpoint
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T16:28:13.136Z

Reserved: 2026-03-17T23:23:58.312Z

Link: CVE-2026-33208

cve-icon Vulnrichment

Updated: 2026-04-24T16:28:09.888Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T03:16:10.863

Modified: 2026-04-27T15:16:15.437

Link: CVE-2026-33208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:15:19Z

Weaknesses