Apache
CVE-2026-27811
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the /config/compare/<service>/<server_ip>/show endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in app/modules/config/config.py on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue.
AnalysisAI
Roxy-WI versions prior to 8.2.6.3 contain a command injection vulnerability in the configuration comparison endpoint that allows authenticated users to execute arbitrary system commands on the host server. The flaw stems from unsanitized user input being directly embedded into template strings executed by the application. An attacker with valid credentials can exploit this to achieve full system compromise with high impact on confidentiality, integrity, and availability.
Technical ContextAI
This vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), a command injection flaw. The issue exists in app/modules/config/config.py at line 362 where user-supplied input is directly incorporated into a template string that is subsequently executed as a system command without proper sanitization or validation. Command injection occurs when an application passes unsafe user-supplied data to a system shell, allowing attackers to append malicious commands using shell metacharacters. Roxy-WI is a Python-based web application that provides centralized management for popular web servers and load balancers including Haproxy, Nginx, Apache, and Keepalived.
Affected ProductsAI
Roxy-WI web interface versions prior to 8.2.6.3 are affected by this command injection vulnerability. Roxy-WI is an open-source web management platform for Haproxy, Nginx, Apache and Keepalived servers developed by roxy-wi. The vulnerability was disclosed through GitHub Security Advisories (GHSA-jvmv-cw47-jh77) and confirmed by the project maintainers. The issue impacts all deployments running vulnerable versions regardless of which managed service (Haproxy, Nginx, Apache, or Keepalived) is being configured through the interface.
RemediationAI
Upgrade Roxy-WI to version 8.2.6.3 or later, which contains a fix for the command injection vulnerability as documented in the release notes at https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.6.3. The specific patch commit addressing this issue can be reviewed at https://github.com/roxy-wi/roxy-wi/commit/a10ac7306c252014f97a7213db4a9470300fa064. Until patching is complete, consider implementing compensating controls such as restricting network access to the Roxy-WI management interface to trusted IP ranges only, enforcing strong authentication policies, conducting audit log reviews for suspicious activity on the vulnerable endpoint, and applying principle of least privilege for user accounts. Full details are available in the GitHub Security Advisory at https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jvmv-cw47-jh77.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today