CVE-2026-33208

HighPublic PoC

Published: 24 April 2026

Published

24 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0032 55.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ < service > /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command…

string that is subsequently executed on a remote managed server via SSH. An authenticated attacker can inject arbitrary shell metacharacters to break out of the intended grep command context and execute arbitrary OS commands with sudo privileges on the target server, resulting in full Remote Code Execution (RCE). Version 8.2.6.4 patches the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the failure to sanitize the user-supplied 'words' parameter before embedding it into shell commands, preventing OS command injection.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of the known flaw through patching to version 8.2.6.4, which fixes the command injection vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning would identify the OS command injection (CWE-78) in the /config/<service>/find-in-config endpoint prior to exploitation.

Security SummaryAI

CVE-2026-33208 is an OS command injection vulnerability (CWE-78) in Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers. The issue affects versions prior to 8.2.6.4 and resides in the /config/<service>/find-in-config endpoint, which fails to sanitize the user-supplied "words" parameter. This parameter is embedded directly into a shell command string executed on a remote managed server via SSH, allowing injection of arbitrary shell metacharacters to escape the intended grep command context.

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables execution of arbitrary operating system commands with sudo privileges on the target managed server, leading to full remote code execution (RCE).

The vulnerability is patched in Roxy-WI version 8.2.6.4, as detailed in the project's GitHub commit (02f147d567a3cc8cf61a4b58ea4c2b7866a544de) and security advisory (GHSA-7m2h-gmvj-cjx2). Security practitioners should upgrade to the fixed version and review access controls for the affected endpoint to mitigate risks.

Details

CWE(s): CWE-78

Affected Products

roxy-wi

≤ 8.2.6.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

OS command injection in web interface enables exploitation of public-facing application (T1190) and arbitrary Unix shell command execution on remote servers (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/roxy-wi/roxy-wi/commit/02f147d567a3cc8cf61a4b58ea4c2b7866a544de
Patch · security-advisories@github.com
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-7m2h-gmvj-cjx2
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-7m2h-gmvj-cjx2
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0