High severity8.8NVD Advisory· Published Apr 24, 2026· Updated Apr 27, 2026

CVE-2026-33208

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ < service > /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command string that is subsequently executed on a remote managed server via SSH. An authenticated attacker can inject arbitrary shell metacharacters to break out of the intended grep command context and execute arbitrary OS commands with sudo privileges on the target server, resulting in full Remote Code Execution (RCE). Version 8.2.6.4 patches the issue.

Affected products

Roxy Wi/Roxy Wi
cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*
Range: <8.2.6.4

Patches

02f147d567a3

v8.2.6.4: Enhance input validation and security in routes and login

https://github.com/roxy-wi/roxy-wiAidahoMar 20, 2026via nvd-ref

commit

2 files changed · +6 −2

app/login.py+2 −1 modified

@@ -6,6 +6,7 @@
 import app.modules.roxywi.roxy as roxy
 import app.modules.roxywi.auth as roxywi_auth
 import app.modules.roxywi.common as roxywi_common
+from app.modules.common.common import checkAjaxInput
 from app.modules.roxywi import logger
 
 
@@ -44,7 +45,7 @@ def login_page():
         return render_template('login.html', lang=lang)
     elif request.method == 'POST':
         next_url = request.json.get('next')
-        login = request.json.get('login')
+        login = checkAjaxInput(request.json.get('login'))
         password = request.json.get('pass')
         try:
             roxy.update_plan()

app/routes/config/routes.py+4 −1 modified

@@ -59,6 +59,9 @@ def show_config_files(service):
     server_ip = common.is_ip_or_dns(server_ip)
     config_file_name = request.form.get('config_file_name')
 
+    if '..' in config_file_name:
+        return jsonify({'error': 'error: .. is not allowed'})
+
     try:
         return config_mod.show_config_files(server_ip, service, config_file_name)
     except Exception as e:
@@ -69,7 +72,7 @@ def show_config_files(service):
 @check_services
 def find_in_config(service):
     server_ip = common.is_ip_or_dns(request.form.get('serv'))
-    finding_words = request.form.get('words')
+    finding_words = common.checkAjaxInput(request.form.get('words'))
     log_path = sql.get_setting(service + '_dir')
     log_path = common.return_nice_path(log_path)
     commands = f'sudo grep "{finding_words}" {log_path}*/*.conf -C 2 -Rn'

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/roxy-wi/roxy-wi/commit/02f147d567a3cc8cf61a4b58ea4c2b7866a544denvdPatch
github.com/roxy-wi/roxy-wi/security/advisories/GHSA-7m2h-gmvj-cjx2nvdExploitVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000