cbcvebase.
CVE-2026-27811
published 2026-03-18

CVE-2026-27811: Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.04%
78.7th percentile
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare///show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue.

Affected

1 ranges
VendorProductVersion rangeFixed in
roxy-wiroxy-wi< 8.2.6.38.2.6.3

Detection & IOCsextracted from sources · hover to see the quote

url/config/compare///show
pathapp/modules/config/config.py
  • Monitor HTTP requests to the /config/compare///show endpoint for anomalous or shell-metacharacter-containing parameters, which may indicate command injection attempts by authenticated users.
  • Audit Roxy-WI instances running versions prior to 8.2.6.3; the vulnerable code path is in app/modules/config/config.py at line 362 where user input is unsafely interpolated into a command template string.
  • ·Exploitation requires authentication; this is not an unauthenticated RCE. Detections should account for sessions from legitimate but potentially compromised authenticated accounts.
  • ·The vulnerability is fixed in version 8.2.6.3; only instances running prior versions are affected.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.