Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionGitHub Advisory
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to remote code execution due to path traversal and writing into scheduled tasks. Version 8.2.6.4 fixes the issue.
AnalysisAI
Remote code execution in Roxy-WI versions before 8.2.6.4 allows unauthenticated attackers to write malicious code into scheduled tasks via path traversal in the haproxy_section_save interface. The vulnerability chains CWE-22 path traversal with cron job manipulation, enabling arbitrary command execution on servers managing HAProxy, Nginx, Apache, and Keepalived infrastructure. CVSS 8.9 with network attack vector and no privileges required indicates critical risk, though EPSS data and KEV status are unavailable to confirm active exploitation.
Technical ContextAI
Roxy-WI is a centralized web interface for managing reverse proxy and load balancer configurations (HAProxy, Nginx, Apache) and high-availability services (Keepalived). The vulnerability affects the haproxy_section_save API endpoint, which processes configuration file paths without proper sanitization (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). Attackers can exploit directory traversal sequences (e.g., '../../../') to escape intended configuration directories and write attacker-controlled content to system locations, specifically targeting cron job files or scheduled task directories. Once malicious entries are written to cron, the system's task scheduler executes the injected commands with application or system privileges, achieving persistent remote code execution. The affected CPE (cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*) indicates all versions prior to 8.2.6.4 are vulnerable.
RemediationAI
Upgrade to Roxy-WI version 8.2.6.4 or later, which contains the security fix implemented in commit aecc7971959092fa93e93531f1ffcde33524b031 (https://github.com/roxy-wi/roxy-wi/commit/aecc7971959092fa93e93531f1ffcde33524b031). Review GitHub security advisory GHSA-mmgm-p9x9-h33j for complete remediation guidance. If immediate patching is not feasible, implement network-level access controls to restrict the Roxy-WI web interface to trusted management networks only - configure firewall rules to block internet access and permit connections exclusively from authorized administrator IP ranges or VPN endpoints. Disable the haproxy_section_save API endpoint if HAProxy configuration management through this interface is not actively required, though this may break configuration workflows. Monitor system cron jobs and scheduled tasks for unauthorized entries, particularly in /etc/cron.d/, /var/spool/cron/, and user crontabs - establish file integrity monitoring on these directories. Audit application logs for suspicious haproxy_section_save API calls containing path traversal sequences (../, encoded variants). Note that network restrictions significantly reduce attack surface but do not eliminate insider threat or pivot-after-breach scenarios; patching remains the primary mitigation.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25375