CVE-2026-27811

Name of the Vulnerable Software and Affected Versions Roxy-WI versions prior to 8.2.6.3

Description Roxy-WI is a web interface used for managing Haproxy, Nginx, Apache, and Keepalived servers. A command injection issue exists in the /config/compare/<service>/<server ip>/show endpoint, allowing authenticated users to execute arbitrary system commands on the application host. The issue is located in app/modules/config/config.py on line 362, where user input is directly formatted into a template string that is subsequently executed. The vulnerable parameter is the service and server ip within the API endpoint.

Recommendations Upgrade to version 8.2.6.3 or later to resolve this issue.