CVE-2026-33431

Name of the Vulnerable Software and Affected Versions Roxy-WI versions prior to 8.2.6.4

Description The POST '/config//show' API endpoint accepts a configver parameter that is appended to a base directory path to create a local file path. Because the path traversal guard ignores the user-supplied configver value, an authenticated attacker can use ../ sequences to escape the intended directory and read arbitrary files accessible to the web application process.

Recommendations Update to version 8.2.6.4.