CVE-2026-27811

HIGH

Roxy-WI has a Command Injection via diff parameter in config comparison allows authenticated RCE

Title source: cna
STIX 2.1

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue.

References (3)

Scores

CVSS v3 8.8
EPSS 0.0097
EPSS Percentile 76.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-78 CWE-77
Status published
Products (1)
roxy-wi/roxy-wi < 8.2.6.3 (2 CPE variants)
Published Mar 18, 2026
Tracked Since Mar 18, 2026