{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27811", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:31:33.267Z", "datePublished": "2026-03-17T23:43:05.871Z", "dateUpdated": "2026-03-18T19:53:19.520Z"}, "containers": {"cna": {"title": "Roxy-WI has a Command Injection via diff parameter in config comparison allows authenticated RCE", "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "lang": "en", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jvmv-cw47-jh77", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jvmv-cw47-jh77"}, {"name": "https://github.com/roxy-wi/roxy-wi/commit/a10ac7306c252014f97a7213db4a9470300fa064", "tags": ["x_refsource_MISC"], "url": "https://github.com/roxy-wi/roxy-wi/commit/a10ac7306c252014f97a7213db4a9470300fa064"}, {"name": "https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.6.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.6.3"}], "affected": [{"vendor": "roxy-wi", "product": "roxy-wi", "versions": [{"version": "< 8.2.6.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T23:43:05.871Z"}, "descriptions": [{"lang": "en", "value": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue."}], "source": {"advisory": "GHSA-jvmv-cw47-jh77", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T19:52:58.029128Z", "id": "CVE-2026-27811", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T19:53:19.520Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27811", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-18T19:52:58.029128Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T19:53:05.545Z"}}], "cna": {"title": "Roxy-WI has a Command Injection via diff parameter in config comparison allows authenticated RCE", "source": {"advisory": "GHSA-jvmv-cw47-jh77", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "roxy-wi", "product": "roxy-wi", "versions": [{"status": "affected", "version": "< 8.2.6.3"}]}], "references": [{"url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jvmv-cw47-jh77", "name": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jvmv-cw47-jh77", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/roxy-wi/roxy-wi/commit/a10ac7306c252014f97a7213db4a9470300fa064", "name": "https://github.com/roxy-wi/roxy-wi/commit/a10ac7306c252014f97a7213db4a9470300fa064", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.6.3", "name": "https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.6.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T23:43:05.871Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27811", "state": "PUBLISHED", "dateUpdated": "2026-03-18T19:53:19.520Z", "dateReserved": "2026-02-24T02:31:33.267Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-17T23:43:05.871Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F8C30DD-5F13-4330-8E8D-43C31AB41F5C", "versionEndExcluding": "8.2.6.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue."}, {"lang": "es", "value": "Roxy-WI es una interfaz web para gestionar servidores Haproxy, Nginx, Apache y Keepalived. Antes de la versi\u00f3n 8.2.6.3, existe una vulnerabilidad de inyecci\u00f3n de comandos en el endpoint '/config/compare///show', que permit\u00eda a usuarios autenticados ejecutar comandos de sistema arbitrarios en el host de la aplicaci\u00f3n. La vulnerabilidad se encuentra en 'app/modules/config/config.py' en la l\u00ednea 362, donde la entrada del usuario se formatea directamente en la cadena de plantilla que finalmente se ejecuta. La versi\u00f3n 8.2.6.3 corrige el problema."}], "id": "CVE-2026-27811", "lastModified": "2026-03-19T18:00:58.453", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T00:16:19.427", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/roxy-wi/roxy-wi/commit/a10ac7306c252014f97a7213db4a9470300fa064"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.6.3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jvmv-cw47-jh77"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.2.6.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "roxy-wi", "source": "cna", "vendor": "roxy-wi"}, "product": "roxy-wi", "vendor": "roxy-wi"}], "analysis": {"en": {"generated_at": "2026-03-19T19:25:09.735566+00:00", "value": {"mitigation_remediation": ["Upgrade Roxy\u2011WI to version 8.2.6.3 or later.", "Verify that authentication mechanisms are properly configured to limit access to trusted users."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Roxy\u2011WI, the web interface for managing HAProxy, Nginx, Apache and Keepalived servers, is affected in all releases prior to version 8.2.6.3. Users running any earlier version of the software are vulnerable.", "description_and_impact": "The vulnerability is a command injection in the /config/compare/<service>/<server_ip>/show endpoint of Roxy\u2011WI, allowing an authenticated user to execute arbitrary system commands on the host. This leads to complete compromise of the underlying server, granting attackers full control over the system. The flaw is due to direct formatting of user input into a template string, which is then executed. The weakness corresponds to CWE\u201177 (Command Injection) and CWE\u201178 (OS Command Injection).", "risk_and_exploitability": "The CVSS base score is 8.8, indicating high severity. The EPSS score is below 1%, suggesting a relatively low probability of exploitation at the current time, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires valid user credentials to access the application and the /config/compare endpoint, so attackers must first authenticate. Once authenticated, they can supply a specially crafted diff parameter to execute arbitrary commands. Because the flaw resides in the server side code, it can affect the entire host, providing a high impact if exploited."}}}}, "created": "2026-03-18T10:42:29.666386+00:00", "updated": "2026-03-24T10:54:18.092229+00:00", "vendors": ["roxy-wi", "roxy-wi$PRODUCT$roxy-wi"]}