Path Traversal Vulnerability in Roxy-WI Web Interface for Server Management
CVE-2026-33431

5.7MEDIUM

Key Information:

Vendor: Roxy-wi
Status: Roxy-wi
Vendor: CVE Published:; 20 April 2026

What is CVE-2026-33431?

Roxy-WI, a web interface designed for managing Haproxy, Nginx, Apache, and Keepalived servers, is susceptible to a path traversal vulnerability. This flaw exists in the API endpoint POST /config//show prior to version 8.2.6.4, wherein the configver parameter is improperly validated. An authenticated attacker can manipulate this parameter using '../' sequences to traverse directories, thereby gaining access to sensitive files within the system. The vulnerability circumvents the existing safety measures that only check the static base directory path. Roxy-WI has addressed this issue in version 8.2.6.4, providing a critical security patch.

Affected Version(s)

roxy-wi < 8.2.6.4

References

https://github.com/roxy-wi/roxy-wi/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/roxy-wi/roxy-wi/commit/d4d100067dd0ee0...

x_refsource_MISC

CVSS V4

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Mar 19, 2026

CVE-2026-33431 Data

JSON

Roxy-wi

What is CVE-2026-33431?

Affected Version(s)

References

CVSS V4

Timeline