Flocto

**Name of the Vulnerable Software and Affected Versions** Roxy-WI versions prior to 8.2.6.3 **Description** Roxy-WI is a web interface used for managing Haproxy, Nginx, Apache, and Keepalived servers. A command injection issue exists in the `/config/compare/<service>/<server ip>/show` endpoint, allowing authenticated users to execute arbitrary system commands on the application host. The issue is located in `app/modules/config/config.py` on line 362, where user input is directly formatted into a template string that is subsequently executed. The vulnerable parameter is the `service` and `server ip` within the API endpoint. **Recommendations** Upgrade to version 8.2.6.3 or later to resolve this issue.