CVE-2026-27811 HIGH

CVE-2026-27811: Roxy-WI has a Command Injection via diff parameter in config comparison allows authenticated RCE

Vendor Roxy-Wi
Product roxy-wi
Weakness CWE-77
Published March 17, 2026
Last update March 18, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue.

Key dates

02Disclosure timeline

March 17, 2026 CVE published
March 18, 2026 Record updated

Related vulnerabilities

04Related CVE