Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionGitHub Advisory
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ < service > /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command string that is subsequently executed on a remote managed server via SSH. An authenticated attacker can inject arbitrary shell metacharacters to break out of the intended grep command context and execute arbitrary OS commands with sudo privileges on the target server, resulting in full Remote Code Execution (RCE). Version 8.2.6.4 patches the issue.
AnalysisAI
Command injection in Roxy-WI versions prior to 8.2.6.4 enables authenticated attackers to execute arbitrary OS commands with sudo privileges on managed servers. The vulnerability stems from unsanitized input in the /config/<service>/find-in-config endpoint that breaks out of grep command context during remote SSH execution. A proof-of-concept exploit exists (CVSS E:P), and the CVSS 4.0 score of 7.4 reflects network-based attack with low complexity requiring only low-privilege authentication. Vendor-released patch 8.2.6.4 available via GitHub commit 02f147d.
Technical ContextAI
Roxy-WI is a web-based management interface for Haproxy, Nginx, Apache, and Keepalived servers that executes administrative commands on remote managed servers via SSH. The vulnerability affects the configuration search functionality where the 'words' parameter is passed unsanitized into a shell command string containing grep. This constitutes a classic CWE-78 OS Command Injection flaw where shell metacharacters (such as semicolons, pipes, backticks, or command substitution syntax) can terminate the intended grep command and inject arbitrary commands. The commands execute with sudo privileges in the context of the SSH session on the target managed server, not just the Roxy-WI web application host. The CPE identifier cpe:2.3:a:roxy-wi:roxy-wi indicates all versions prior to the patched release are affected.
RemediationAI
Upgrade immediately to Roxy-WI version 8.2.6.4 or later, which contains input sanitization fixes per GitHub commit 02f147d567a3cc8cf61a4b58ea4c2b7866a544de available at https://github.com/roxy-wi/roxy-wi/commit/02f147d567a3cc8cf61a4b58ea4c2b7866a544de. If immediate patching is not feasible, implement these compensating controls: Restrict network access to the Roxy-WI management interface to trusted administrator IP addresses only via firewall rules or reverse proxy ACLs (trade-off: reduces operational flexibility for remote administration). Audit and minimize Roxy-WI user accounts, removing low-privilege users and enforcing strong authentication (trade-off: may impact team workflows requiring delegated access). Monitor SSH logs on managed servers for unexpected command patterns or privilege escalation attempts originating from Roxy-WI's SSH keys (trade-off: detection-only, does not prevent exploitation). Consider temporarily disabling the configuration search feature if not operationally critical until patching is complete (trade-off: loss of search functionality).
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25378