CVE-2026-33208

Name of the Vulnerable Software and Affected Versions Roxy-WI versions prior to 8.2.6.4

Description The '/config//find-in-config' endpoint fails to sanitize the words parameter before embedding it into a shell command string executed on a remote managed server via SSH. An authenticated attacker can inject shell metacharacters to bypass the intended grep command and execute arbitrary OS commands with sudo privileges, leading to Remote Code Execution (RCE), which is the ability to execute any command on a target machine remotely.

Recommendations Update to version 8.2.6.4.