CVE-2026-27811

CVE Database · CVE-2026-27811

CVE-2026-27811

· HIGHAnalyzed

CVSS v3.1

8.8

EPSS

2.04%

Published

Mar 17, 2026

Modified

Mar 19, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-77CWE-78

Affected Products (1)

roxy-wi · roxy-wi (up to 8.2.6.3)vulnerable

References (3)

https://github.com/roxy-wi/roxy-wi/commit/a10ac7306c252014f97a7213db4a9470300fa064

Patch

https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.6.3

ProductRelease Notes

https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jvmv-cw47-jh77

ExploitMitigationVendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs