Roxy-WI - Remote Code Execution

Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the delcert parameter without proper input validation in the /app/options.py file, allowing attackers to inject arbitrary OS commands. id: CVE-2022-31161 info: name: Roxy-WI - Remote Code...

Roxy-WI < 6.1.1.0 - Remote Code Execution

Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the subprocessexecute function without processing the inputs received from the user in the /app/options.py file. id: CVE-2022-31137 info: name: Roxy-WI 6.1.1.0 - Remote Code Execution author:...

Roxy-WI - Remote Code Execution

Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the sshcommand function without processing the inputs received from the user in the /app/funct.py file. id: CVE-2022-31126 info: name: Roxy-WI - Remote Code Execution author: ritikchaddha...

CVE-2026-33076

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxysectionsave interface presents a vulnerability that could lead to remote code execution due to path traversal and writing into scheduled tasks. Version 8.2.6.4 fixes the iss...

CVE-2026-33078

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxysectionsave function in app/routes/config/routes.py. The serverip parameter, sourced from the URL path, is passed unsanitized through...

CVE-2026-33432

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without...

SUSE CVE-2026-46042

In the Linux kernel, the following vulnerability has been resolved: mm/mempolicy: fix memory leaks in weightedinterleaveautostore weightedinterleaveautostore fetches oldwistate inside the if !input block only. This causes two memory leaks: 1. When a user writes "false" and the current mode is...

UBUNTU-CVE-2026-46042

In the Linux kernel, the following vulnerability has been resolved: mm/mempolicy: fix memory leaks in weightedinterleaveautostore weightedinterleaveautostore fetches oldwistate inside the if !input block only. This causes two memory leaks: 1. When a user writes "false" and the current mode is...

CVE-2025-29338

CVE-2025-29338 affects the NXP moal.ko Wi‑Fi kernel driver (driver version 5.1.7.10) across firmware builds from v17.92.1.p149.43 to v17.92.1.p149.157. The root cause is a stack‑based buffer overflow in the parsing path: woal_setup_module_param allocates a fixed stack buffer and parse_cfg_get_lin...

Apple多款产品 安全漏洞

Apple iOS, among others, are products of the American company Apple. Apple iOS is an operating system developed for mobile devices. Apple macOS is a specialized operating system designed for Mac computers. Apple iPadOS is an operating system for iPad tablets. Several of Apple’s products have...

CVE-2026-33077

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the oldconfig parameter in the haproxysectionsave interface has an arbitrary file read vulnerability. Version 8.2.6.4 fixes the issue...

CVE-2026-33208

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command string that is subsequently executed on a...

CVE-2026-33078

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxysectionsave function in app/routes/config/routes.py. The serverip parameter, sourced from the URL path, is passed unsanitized through...

CVE-2026-33077

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the oldconfig parameter in the haproxysectionsave interface has an arbitrary file read vulnerability. Version 8.2.6.4 fixes the issue...

CVE-2026-33208

The CVE describes a vulnerability in Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived. Before version 8.2.6.4, the /config//find-in-config endpoint fails to sanitize the words parameter before embedding it into a shell command string executed on a remote managed server...

CVE-2026-33208 Roxy-WI Vulnerable to Authenticated Remote Code Execution via OS Command Injection in find-in-config Endpoint

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command string that is subsequently executed on a...

EUVD-2026-25378

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command string that is subsequently executed on a...

CVE-2026-33078

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxysectionsave function in app/routes/config/routes.py. The serverip parameter, sourced from the URL path, is passed unsanitized through...

CVE-2026-33078 Roxy-WI has SQL Injection in haproxy_section_save Endpoint via Unsanitized server_ip Parameter

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxysectionsave function in app/routes/config/routes.py. The serverip parameter, sourced from the URL path, is passed unsanitized through...

CVE-2026-33078

Roxy-WI prior to version 8.2.6.4 contains a SQL injection in the haproxy_section_save endpoint (app/routes/config/routes.py). The server_ip parameter, sourced from the URL path, is passed unsanitized through multiple calls and interpolated into a SQL query string using Python string formatting, e...