Which versions of Roxy-WI are affected by CVE-2026-33208?

Roxy-WI versions before 8.2.6.4 contain a command injection vulnerability allowing authenticated users to execute arbitrary commands with elevated privileges on managed infrastructure servers,…. A patch is available.

How to fix or mitigate CVE-2026-33208?

Within 24 hours: Inventory all Roxy-WI deployments and document current versions. Within 7 days: Apply vendor-released patch 8.2.6.4 (available via GitHub commit 02f147d) to all instances; if immediate patching is not feasible, restrict access to the /config/ /find-in-config endpoint via firewall or web application controls. Within 30 days: Conduct audit of low-privileged user accounts with Roxy-WI access and implement least-privilege principle; review audit logs for exploitation indicators.

Roxy-WI CVE-2026-33208

Q: What is the CVSS score of CVE-2026-33208?

CVE-2026-33208 has a CVSS 4.0 base score of 7.4 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

EUVD-2026-25378 HIGH

OS Command Injection (CWE-78)

2026-04-24 GitHub_M

RCE Apache Command Injection Nginx

7.4

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Apr 27, 2026 - 15:16 nvd

Patch available

Re-analysis Queued

Apr 24, 2026 - 14:52 vuln.today

cvss_changed

Patch available

Apr 24, 2026 - 05:01 EUVD

Analysis Generated

Apr 24, 2026 - 03:31 vuln.today

CVSS changed

Apr 24, 2026 - 03:22 NVD

7.4 (HIGH)

EUVD ID Assigned

Apr 24, 2026 - 03:00 euvd

EUVD-2026-25378

Analysis Generated

Apr 24, 2026 - 03:00 vuln.today

CVE Published

Apr 24, 2026 - 02:10 nvd

HIGH 7.4

DescriptionNVD

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ < service > /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command string that is subsequently executed on a remote managed server via SSH. An authenticated attacker can inject arbitrary shell metacharacters to break out of the intended grep command context and execute arbitrary OS commands with sudo privileges on the target server, resulting in full Remote Code Execution (RCE). Version 8.2.6.4 patches the issue.

AnalysisAI

Command injection in Roxy-WI versions prior to 8.2.6.4 enables authenticated attackers to execute arbitrary OS commands with sudo privileges on managed servers. The vulnerability stems from unsanitized input in the /config/<service>/find-in-config endpoint that breaks out of grep command context during remote SSH execution. …

RemediationAI

Within 24 hours: Inventory all Roxy-WI deployments and document current versions. Within 7 days: Apply vendor-released patch 8.2.6.4 (available via GitHub commit 02f147d) to all instances; if immediate patching is not feasible, restrict access to the /config/<service>/find-in-config endpoint via firewall or web application controls. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory