Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-33078

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/config/routes.py. The server_ip parameter, sourced from the URL path, is passed unsanitized through multiple function calls and ultimately interpolated into a SQL query string using Python string formatting, allowing attackers to execute arbitrary SQL commands. Version 8.2.6.4 fixes the issue.

View on NVD

Analysis

Roxy-WI is a popular open-source management interface for critical infrastructure like HAProxy and Nginx. A 9.8 CVSS SQL injection in the configuration route allows for full database compromise and potential extraction of server credentials or configuration secrets. The impact is severe for DevOps teams using this tool to orchestrate their web stack.

Severity

Score: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-89

EPSS

Probability of exploitation (next 30 days): 0.0004 (0.0%)
Percentile: 11.1%
EPSS: 2026-05-06

Affects

roxy-wi:roxy-wi

Technical description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/config/routes.py. The server_ip parameter, sourced from the URL path, is passed unsanitized through multiple function calls and ultimately interpolated into a SQL query string using Python string formatting, allowing attackers to execute arbitrary SQL commands. Version 8.2.6.4 fixes the issue.

Published: 4/24/2026, 3:16:10 AM
Last modified: 4/27/2026, 3:10:14 PM

References

HomeEventsBlogResourcesTeam