CVE-2026-33078 HIGH

CVE-2026-33078: Roxy-WI has SQL Injection in haproxy_section_save Endpoint via Unsanitized server_ip Parameter

Vendor Roxy-Wi

Product roxy-wi

Weakness CWE-89 · SQLi

Published April 24, 2026

Last update April 24, 2026

View on NVD All CVEs

CVSS base score

8.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/config/routes.py. The server_ip parameter, sourced from the URL path, is passed unsanitized through multiple function calls and ultimately interpolated into a SQL query string using Python string formatting, allowing attackers to execute arbitrary SQL commands. Version 8.2.6.4 fixes the issue.

Key dates

02Disclosure timeline

April 24, 2026 CVE published

April 24, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-33078

Related vulnerabilities

CVE-2026-33078: Roxy-WI has SQL Injection in haproxy_section_save Endpoint via Unsanitized server_ip Parameter

01Description

02Disclosure timeline

03References

04Related CVE