CVE-2026-22265

7.5 HIGH
Published: January 15, 2026 Modified: February 18, 2026
View on NVD

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/roxy-wi/roxy-wi/commit/f040d3338c4ba6f66127487361592e32e0188eee
Source: security-advisories@github.com
Patch
https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.8.2
Source: security-advisories@github.com
Product Release Notes
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmmf-vh7m-rm47
Source: security-advisories@github.com
Exploit Vendor Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.5 / 10.0
EPSS (Exploit Probability)
0.2%
36th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-78

Affected Vendors

roxy-wi

Related CVEs

CVE-2026-4577 2.4
CVE-2026-23555 N/A
CVE-2026-23554 N/A
CVE-2025-6229 6.4
CVE-2025-13997 5.3