Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-33076

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to remote code execution due to path traversal and writing into scheduled tasks. Version 8.2.6.4 fixes the issue.

Ver en NVD

Análisis

Roxy-WI versions prior to 8.2.6.4 are vulnerable to a critical remote code execution flaw via path traversal in the haproxy_section_save interface. An attacker can leverage this to write malicious scheduled tasks, potentially gaining full control over the servers managing your load balancers and web servers. Update to version 8.2.6.4 immediately.

Severidad

Puntaje: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-22

EPSS

Probabilidad de explotación (próx. 30 días): 0.0041 (0.4%)
Percentil: 61.2%
EPSS: 2026-05-06

Afecta

roxy-wi:roxy-wi

Descripción técnica

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the haproxy_section_save interface presents a vulnerability that could lead to remote code execution due to path traversal and writing into scheduled tasks. Version 8.2.6.4 fixes the issue.

Publicada: 24/4/2026, 3:16:10
Última modificación: 27/4/2026, 15:03:04

Referencias

InicioEventosBlogRecursosEquipo