{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33078", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T19:27:06.345Z", "datePublished": "2026-04-24T02:05:02.737Z", "dateUpdated": "2026-04-24T12:10:25.193Z"}, "containers": {"cna": {"title": "Roxy-WI has SQL Injection in haproxy_section_save Endpoint via Unsanitized server_ip Parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.9, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jmj9-2c4q-849j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jmj9-2c4q-849j"}, {"name": "https://github.com/roxy-wi/roxy-wi/commit/aecc7971959092fa93e93531f1ffcde33524b031", "tags": ["x_refsource_MISC"], "url": "https://github.com/roxy-wi/roxy-wi/commit/aecc7971959092fa93e93531f1ffcde33524b031"}], "affected": [{"vendor": "roxy-wi", "product": "roxy-wi", "versions": [{"version": "< 8.2.6.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T02:05:02.737Z"}, "descriptions": [{"lang": "en", "value": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/config/routes.py. The server_ip parameter, sourced from the URL path, is passed unsanitized through multiple function calls and ultimately interpolated into a SQL query string using Python string formatting, allowing attackers to execute arbitrary SQL commands. Version 8.2.6.4 fixes the issue."}], "source": {"advisory": "GHSA-jmj9-2c4q-849j", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jmj9-2c4q-849j", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T12:10:21.211655Z", "id": "CVE-2026-33078", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T12:10:25.193Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33078", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T19:27:06.345Z", "datePublished": "2026-04-24T02:05:02.737Z", "dateUpdated": "2026-04-24T12:10:25.193Z"}, "containers": {"cna": {"title": "Roxy-WI has SQL Injection in haproxy_section_save Endpoint via Unsanitized server_ip Parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.9, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jmj9-2c4q-849j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jmj9-2c4q-849j"}, {"name": "https://github.com/roxy-wi/roxy-wi/commit/aecc7971959092fa93e93531f1ffcde33524b031", "tags": ["x_refsource_MISC"], "url": "https://github.com/roxy-wi/roxy-wi/commit/aecc7971959092fa93e93531f1ffcde33524b031"}], "affected": [{"vendor": "roxy-wi", "product": "roxy-wi", "versions": [{"version": "< 8.2.6.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T02:05:02.737Z"}, "descriptions": [{"lang": "en", "value": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/config/routes.py. The server_ip parameter, sourced from the URL path, is passed unsanitized through multiple function calls and ultimately interpolated into a SQL query string using Python string formatting, allowing attackers to execute arbitrary SQL commands. Version 8.2.6.4 fixes the issue."}], "source": {"advisory": "GHSA-jmj9-2c4q-849j", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33078", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T12:10:21.211655Z"}}}], "references": [{"url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jmj9-2c4q-849j", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T12:10:08.223Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*", "matchCriteriaId": "C493C2DE-0B9D-48E1-BEDA-9ECBE24DB508", "versionEndExcluding": "8.2.6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/config/routes.py. The server_ip parameter, sourced from the URL path, is passed unsanitized through multiple function calls and ultimately interpolated into a SQL query string using Python string formatting, allowing attackers to execute arbitrary SQL commands. Version 8.2.6.4 fixes the issue."}], "id": "CVE-2026-33078", "lastModified": "2026-04-27T15:10:14.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T03:16:10.657", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/roxy-wi/roxy-wi/commit/aecc7971959092fa93e93531f1ffcde33524b031"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jmj9-2c4q-849j"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jmj9-2c4q-849j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.2.6.4)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "roxy-wi", "source": "cna", "vendor": "roxy-wi"}, "product": "roxy-wi", "vendor": "roxy-wi"}], "analysis": {"en": {"generated_at": "2026-04-28T14:27:38.348025+00:00", "value": {"mitigation_remediation": ["Upgrade Roxy\u2011WI to version 8.2.6.4 or later, which removes the unsanitized server_ip parameter from the SQL query. ", "Ensure that all URL parameters received by the Roxy\u2011WI application are validated and sanitized before use in any database operations. ", "Restrict access to the haproxy_section_save endpoint and similar configuration routes to administrators only, and monitor database logs for suspicious query activity."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installed versions of Roxy\u2011WI that are older than version 8.2.6.4; the patch that removes the flaw is delivered in 8.2.6.4 and later releases.", "description_and_impact": "Roxy-WI, a web interface used to manage Haproxy, Nginx, Apache and Keepalived servers, suffers from a SQL injection flaw in the haproxy_section_save function. The server_ip parameter, taken from the URL path, is passed through without sanitization and ultimately interpolated into a SQL query via Python string formatting. This flaw is a classic injection weakness (CWE\u201189) that allows an attacker to execute arbitrary SQL statements, potentially leading to unauthorized data access, data modification, or further privilege escalation through the database. ", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.9, indicating high severity, but its EPSS score is listed as less than 1%, suggesting a low probability of exploitation in the wild. It is not currently catalogued in the CISA KEV list. Based on the description, the likely attack vector is through the web interface, requiring an authenticated session with sufficient privileges to access the haproxy_section_save endpoint. The low EPSS mitigates immediate risk, yet the potential for database compromise warrants prompt remediation."}}}}, "created": "2026-04-28T05:30:22.995929+00:00", "updated": "2026-04-28T14:30:33.770445+00:00", "vendors": ["roxy-wi", "roxy-wi$PRODUCT$roxy-wi"]}