Skip to main content

Apache CVE-2026-27811

HIGH
Command Injection (CWE-77)
2026-03-18 security-advisories@github.com
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 18, 2026 - 00:30 vuln.today
CVE Published
Mar 18, 2026 - 00:16 nvd
HIGH 8.8

DescriptionGitHub Advisory

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the /config/compare/<service>/<server_ip>/show endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in app/modules/config/config.py on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue.

AnalysisAI

Roxy-WI versions prior to 8.2.6.3 contain a command injection vulnerability in the configuration comparison endpoint that allows authenticated users to execute arbitrary system commands on the host server. The flaw stems from unsanitized user input being directly embedded into template strings executed by the application. An attacker with valid credentials can exploit this to achieve full system compromise with high impact on confidentiality, integrity, and availability.

Technical ContextAI

This vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), a command injection flaw. The issue exists in app/modules/config/config.py at line 362 where user-supplied input is directly incorporated into a template string that is subsequently executed as a system command without proper sanitization or validation. Command injection occurs when an application passes unsafe user-supplied data to a system shell, allowing attackers to append malicious commands using shell metacharacters. Roxy-WI is a Python-based web application that provides centralized management for popular web servers and load balancers including Haproxy, Nginx, Apache, and Keepalived.

Affected ProductsAI

Roxy-WI web interface versions prior to 8.2.6.3 are affected by this command injection vulnerability. Roxy-WI is an open-source web management platform for Haproxy, Nginx, Apache and Keepalived servers developed by roxy-wi. The vulnerability was disclosed through GitHub Security Advisories (GHSA-jvmv-cw47-jh77) and confirmed by the project maintainers. The issue impacts all deployments running vulnerable versions regardless of which managed service (Haproxy, Nginx, Apache, or Keepalived) is being configured through the interface.

RemediationAI

Upgrade Roxy-WI to version 8.2.6.3 or later, which contains a fix for the command injection vulnerability as documented in the release notes at https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.6.3. The specific patch commit addressing this issue can be reviewed at https://github.com/roxy-wi/roxy-wi/commit/a10ac7306c252014f97a7213db4a9470300fa064. Until patching is complete, consider implementing compensating controls such as restricting network access to the Roxy-WI management interface to trusted IP ranges only, enforcing strong authentication policies, conducting audit log reviews for suspicious activity on the vulnerable endpoint, and applying principle of least privilege for user accounts. Full details are available in the GitHub Security Advisory at https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jvmv-cw47-jh77.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Share

CVE-2026-27811 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy