Command Injection Vulnerability in Roxy-WI Web Interface by Roxy-WI
CVE-2026-27811

8.8HIGH

Key Information:

Vendor

Roxy-wi

Status
Roxy-wi
Vendor
CVE Published:
17 March 2026

What is CVE-2026-27811?

Roxy-WI, a web interface designed for managing various server technologies, contains a command injection vulnerability in the /config/compare/<service>/<server_ip>/show endpoint. This flaw allows authenticated users to execute arbitrary system commands on the host running the application. The issue arises from the direct formatting of user input into a template string that is subsequently executed. Users are encouraged to upgrade to version 8.2.6.3, which addresses this security concern.

Affected Version(s)

roxy-wi < 8.2.6.3

References

https://github.com/roxy-wi/roxy-wi/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/roxy-wi/roxy-wi/commit/a10ac7306c25201...
x_refsource_MISC
https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.6.3
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.