CVE-2026-27811

HighPublic PoC

Published: 18 March 2026

Published

18 March 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0097 76.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability…

exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific command injection flaw by applying the vendor patch released in Roxy-WI version 8.2.6.3.

SI-10 Information Input Validation good match

prevent

Mandates validation and sanitization of untrusted user inputs, such as server_ip in the /config/compare endpoint, to block command injection attacks.

SI-9 Information Input Restrictions partial match

prevent

Imposes restrictions on the types and quantities of user-supplied inputs to the web interface, reducing opportunities for successful command injection.

Security SummaryAI

CVE-2026-27811 is a command injection vulnerability (CWE-77, CWE-78) in Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers. Versions prior to 8.2.6.3 are affected, with the flaw located in the `/config/compare/<service>/<server_ip>/show` endpoint in `app/modules/config/config.py` at line 362. There, user input is directly formatted into a template string that is executed as a system command, enabling arbitrary command execution. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated users with low privileges can exploit this vulnerability remotely over the network, requiring low attack complexity and no user interaction. Exploitation allows attackers to execute arbitrary system commands on the host running the Roxy-WI application, potentially resulting in high impacts to confidentiality, integrity, and availability, such as full system compromise.

Roxy-WI version 8.2.6.3 resolves the issue, as documented in the project's security advisory (GHSA-jvmv-cw47-jh77), release notes for v8.2.6.3, and the fixing commit (a10ac7306c252014f97a7213db4a9470300fa064). Practitioners should upgrade to this version or later to mitigate the vulnerability.

Details

CWE(s): CWE-77 CWE-78

Affected Products

roxy-wi

≤ 8.2.6.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of a public-facing web application (T1190) via command injection, directly facilitating arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/roxy-wi/roxy-wi/commit/a10ac7306c252014f97a7213db4a9470300fa064
Patch · security-advisories@github.com
https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.6.3
Product, Release Notes · security-advisories@github.com
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jvmv-cw47-jh77
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com