CVE-2026-22265 HIGH

CVE-2026-22265: Roxy-WI has a Command Injection via grep parameter in logs.py allows authenticated RCE

Vendor Roxy-Wi

Product roxy-wi

Weakness CWE-78

Published January 15, 2026

Last update January 15, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2.

Key dates

02Disclosure timeline

January 15, 2026 CVE published

January 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-22265 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2026-22265: Roxy-WI has a Command Injection via grep parameter in logs.py allows authenticated RCE

01Description

02Disclosure timeline

03References

04Related CVE