CVE-2022-31126 CRITICAL

CVE-2022-31126: Unauthenticated Remote Code Execution in Roxy-wi

Vendor Hap-Wi
Product roxy-wi
Weakness CWE-74
Published July 6, 2022
Last update April 23, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to code execution by sending a specially crafted HTTP request to /app/options.py file. This affects Roxy-wi versions before 6.1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

July 6, 2022 CVE published
April 23, 2025 Record updated