CVE-2026-27811
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue.
Analysis
Roxy-WI versions prior to 8.2.6.3 contain a command injection vulnerability in the configuration comparison endpoint that allows authenticated users to execute arbitrary system commands on the host server. The flaw stems from unsanitized user input being directly embedded into template strings executed by the application. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Roxy-WI deployments and verify current versions; restrict access to the `/config/compare/` endpoint to essential personnel only; enable enhanced logging on affected systems. Within 7 days: Implement network segmentation to isolate Roxy-WI hosts from production infrastructure; deploy WAF rules to block malicious payloads targeting the vulnerable endpoint; conduct access reviews of all Roxy-WI user accounts. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today