Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2.
References
| Link | Resource |
|---|---|
| https://github.com/roxy-wi/roxy-wi/commit/f040d3338c4ba6f66127487361592e32e0188eee | Patch |
| https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.8.2 | Product Release Notes |
| https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmmf-vh7m-rm47 | Exploit Vendor Advisory |
Configurations
History
18 Feb 2026, 17:38
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Roxy-wi roxy-wi
Roxy-wi |
|
| CPE | cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:* | |
| References | () https://github.com/roxy-wi/roxy-wi/commit/f040d3338c4ba6f66127487361592e32e0188eee - Patch | |
| References | () https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.8.2 - Product, Release Notes | |
| References | () https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmmf-vh7m-rm47 - Exploit, Vendor Advisory |
15 Jan 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-15 17:16
Updated : 2026-02-18 17:38
NVD link : CVE-2026-22265
Mitre link : CVE-2026-22265
CVE.ORG link : CVE-2026-22265
JSON object : View
Products Affected
roxy-wi
- roxy-wi
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')