Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Roxy-WI Prior to 8.2.6.3: Hackers Can Run Commands on Your Server
CVE-2026-27811
Summary
A security weakness in Roxy-WI's web interface before version 8.2.6.3 lets attackers who are already logged in to the system run any system commands on the server. This is a serious issue because it could allow them to make changes to your server's configuration or even take control of the server. To fix the issue, update to version 8.2.6.3 or later.
Original title
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_i...
Original description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue.
nvd CVSS3.1
8.8
Vulnerability type
CWE-77
Command Injection
CWE-78
OS Command Injection
Published: 18 Mar 2026 · Updated: 18 Mar 2026 · First seen: 18 Mar 2026