{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22265", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T05:19:12.923Z", "datePublished": "2026-01-15T16:27:52.446Z", "dateUpdated": "2026-01-15T16:46:11.782Z"}, "containers": {"cna": {"title": "Roxy-WI has a Command Injection via grep parameter in logs.py allows authenticated RCE", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmmf-vh7m-rm47", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmmf-vh7m-rm47"}, {"name": "https://github.com/roxy-wi/roxy-wi/commit/f040d3338c4ba6f66127487361592e32e0188eee", "tags": ["x_refsource_MISC"], "url": "https://github.com/roxy-wi/roxy-wi/commit/f040d3338c4ba6f66127487361592e32e0188eee"}, {"name": "https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.8.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.8.2"}], "affected": [{"vendor": "roxy-wi", "product": "roxy-wi", "versions": [{"version": "< 8.2.8.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T16:27:52.446Z"}, "descriptions": [{"lang": "en", "value": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2."}], "source": {"advisory": "GHSA-mmmf-vh7m-rm47", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-15T16:46:01.059080Z", "id": "CVE-2026-22265", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T16:46:11.782Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22265", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-15T16:46:01.059080Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T16:46:07.357Z"}}], "cna": {"title": "Roxy-WI has a Command Injection via grep parameter in logs.py allows authenticated RCE", "source": {"advisory": "GHSA-mmmf-vh7m-rm47", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "roxy-wi", "product": "roxy-wi", "versions": [{"status": "affected", "version": "< 8.2.8.2"}]}], "references": [{"url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmmf-vh7m-rm47", "name": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmmf-vh7m-rm47", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/roxy-wi/roxy-wi/commit/f040d3338c4ba6f66127487361592e32e0188eee", "name": "https://github.com/roxy-wi/roxy-wi/commit/f040d3338c4ba6f66127487361592e32e0188eee", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.8.2", "name": "https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.8.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T16:27:52.446Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22265", "state": "PUBLISHED", "dateUpdated": "2026-01-15T16:46:11.782Z", "dateReserved": "2026-01-07T05:19:12.923Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-15T16:27:52.446Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*", "matchCriteriaId": "29779791-CB73-48F7-A0FD-94C543DA082F", "versionEndExcluding": "8.2.8.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2."}], "id": "CVE-2026-22265", "lastModified": "2026-02-18T17:38:54.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-15T17:16:07.670", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/roxy-wi/roxy-wi/commit/f040d3338c4ba6f66127487361592e32e0188eee"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.8.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmmf-vh7m-rm47"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:10:51.821418+00:00", "value": {"mitigation_remediation": ["Upgrade Roxy\u2011WI to version 8.2.8.2 or newer to remove the injection point.", "If an upgrade cannot be performed immediately, limit access to the Roxy\u2011WI interface to trusted IP ranges through firewall or router rules, thus reducing the number of potential authenticated users.", "Enforce strong, multi\u2011factor authentication and restrict log\u2011viewing privileges to users with the lowest necessary privileges to mitigate accidental or intentional exploitation."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Robust infrastructure components managed by Roxy\u2011WI, a web interface for HAProxy, Nginx, Apache, and Keepalived. Versions up to (but not including) 8.2.8.2 are affected; the issue is resolved in 8.2.8.2 and later releases.", "description_and_impact": "The vulnerability allows an authenticated user to inject and execute arbitrary shell commands through the unsafe use of the grep parameter in the logs.py module. The code improperly sanitizes the input in one instance while passing it directly to the shell in another, enabling executable payloads. Based on the description, it is inferred that successful exploitation would allow attackers to read, modify, or delete data, or install persistent backdoors.", "risk_and_exploitability": "The vulnerability scores a CVSS of 7.5, indicating a high impact on confidentiality, integrity, and availability. The EPSS is reported as less than 1\u202f%, showing a low exploitation probability in the current environment, and the weakness is not listed in the CISA KEV catalog. Attack requires legitimate authentication to the web interface, after which the attacker can supply a crafted grep argument to execute any system command. No additional conditions are required beyond standard access controls."}}}}, "created": "2026-01-16T13:43:45.190500+00:00", "updated": "2026-04-18T16:15:04.606481+00:00", "vendors": ["roxy-wi", "roxy-wi$PRODUCT$roxy-wi"]}