Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-33076

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to remote code execution due to path traversal and writing into scheduled tasks. Version 8.2.6.4 fixes the issue.

View on NVD

Analysis

Roxy-WI versions prior to 8.2.6.4 are vulnerable to a critical remote code execution flaw via path traversal in the haproxy_section_save interface. An attacker can leverage this to write malicious scheduled tasks, potentially gaining full control over the servers managing your load balancers and web servers. Update to version 8.2.6.4 immediately.

Severity

Score: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-22

EPSS

Probability of exploitation (next 30 days): 0.0041 (0.4%)
Percentile: 61.2%
EPSS: 2026-05-06

Affects

roxy-wi:roxy-wi

Technical description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to remote code execution due to path traversal and writing into scheduled tasks. Version 8.2.6.4 fixes the issue.

Published: 4/24/2026, 3:16:10 AM
Last modified: 4/27/2026, 3:03:04 PM

References

HomeEventsBlogResourcesTeam