Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /config/versions/<service>/<server_ip>/<configver>/save interpolates the URL-path configver parameter directly into a config-version path that ends up at os.system(f"dos2unix -q {cfg}"). configver is not run through EscapedString (Pydantic doesn't validate path segments declared as str) and the surrounding .. block is the broken tuple-membership patch from GHSA-vapt-004. An authenticated user with role <= 3 ("user") therefore reaches a bin/sh -c command-injection sink. At time of publication, there are no publicly available patches.
Published: 2026-06-10
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Roxy‑WI versions 8.2.6.4 and earlier contain a flaw in the POST /config/versions/<service>/<server_ip>/<configver>/save endpoint where the configver URL segment is interpolated directly into an os.system call without validation. This permits an authenticated user with role 3 or lower to execute arbitrary shell commands on the host. The weakness is an OS Command Injection (CWE‑78). The impact is full remote code execution, allowing compromise of confidentiality, integrity, and availability for the underlying system.

Affected Systems

The vulnerability affects the Roxy‑WI web interface for managing HAProxy, NGINX, Apache, and Keepalived. All releases of Roxy‑WI up to and including version 8.2.6.4 are affected. The product vendor is roxy‑wi:roxy‑wi.

Risk and Exploitability

The CVSS score is 8.8, indicating a high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path requires network access to the Roxy‑WI web interface, authentication with a user role of 3 or lower, and a crafted POST request to the vulnerable endpoint. Since no patch is publicly available at the time of publication, the exploit risk remains high for systems still running the affected versions.

Generated by OpenCVE AI on June 10, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the official patch or upgrade to the latest Roxy‑WI release as soon as one is available.
  • Restrict or remove user roles with level 3 or less to prevent authenticated abuse of the vulnerable endpoint.
  • Configure a Web Application Firewall or other perimeter controls to block or request‑sanitize the /config/versions/.../save path and prevent command‑injection payloads.

Generated by OpenCVE AI on June 10, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
Vendors & Products Roxy-wi
Roxy-wi roxy-wi

Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /config/versions/<service>/<server_ip>/<configver>/save interpolates the URL-path configver parameter directly into a config-version path that ends up at os.system(f"dos2unix -q {cfg}"). configver is not run through EscapedString (Pydantic doesn't validate path segments declared as str) and the surrounding .. block is the broken tuple-membership patch from GHSA-vapt-004. An authenticated user with role <= 3 ("user") therefore reaches a bin/sh -c command-injection sink. At time of publication, there are no publicly available patches.
Title Roxy-WI: Authenticated RCE via 'configver' URL parameter (os.system sink in /config/versions/.../save)
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T14:41:27.646Z

Reserved: 2026-05-12T19:00:14.599Z

Link: CVE-2026-45564

cve-icon Vulnrichment

Updated: 2026-06-10T14:41:08.553Z

cve-icon NVD

Status : Received

Published: 2026-06-10T15:16:37.307

Modified: 2026-06-10T16:17:07.103

Link: CVE-2026-45564

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:30:15Z

Weaknesses