CVE-2026-33208

UNKNOWN 0.0

Roxy-WI Vulnerable to Authenticated Remote Code Execution via OS Command Injection in find-in-config Endpoint

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ < service > /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command string that is subsequently executed on a remote managed server via SSH. An authenticated attacker can inject arbitrary shell metacharacters to break out of the intended grep command context and execute arbitrary OS commands with sudo privileges on the target server, resulting in full Remote Code Execution (RCE). Version 8.2.6.4 patches the issue.

CWE	CWE-78
Vendor	roxy-wi
Product	roxy-wi
Published	Apr 24, 2026

Stay Ahead of the Next One

Get instant alerts for roxy-wi roxy-wi

Be the first to know when new unknown vulnerabilities affecting roxy-wi roxy-wi are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

roxy-wi / roxy-wi

< 8.2.6.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-7m2h-gmvj-cjx2 github.com: https://github.com/roxy-wi/roxy-wi/commit/02f147d567a3cc8cf61a4b58ea4c2b7866a544de