CVE-2026-33078

Name of the Vulnerable Software and Affected Versions Roxy-WI versions prior to 8.2.6.4

Description An issue exists in the haproxy section save() function within app/routes/config/routes.py. The server ip parameter, which is sourced from the URL path, is passed unsanitized and interpolated into a SQL query string using Python string formatting. This allows attackers to execute arbitrary SQL commands via SQL injection, a technique where malicious SQL statements are inserted into entry fields for execution.**

Recommendations Update to version 8.2.6.4.