CVE-2026-27811
Published: 18 March 2026
Summary
CVE-2026-27811 is a high-severity Command Injection (CWE-77) vulnerability in Roxy-Wi Roxy-Wi. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the specific command injection flaw by applying the vendor patch released in Roxy-WI version 8.2.6.3.
Mandates validation and sanitization of untrusted user inputs, such as server_ip in the /config/compare endpoint, to block command injection attacks.
Imposes restrictions on the types and quantities of user-supplied inputs to the web interface, reducing opportunities for successful command injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of a public-facing web application (T1190) via command injection, directly facilitating arbitrary Unix shell command execution (T1059.004).
NVD Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability…
more
exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue.
Deeper analysisAI
CVE-2026-27811 is a command injection vulnerability (CWE-77, CWE-78) in Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers. Versions prior to 8.2.6.3 are affected, with the flaw located in the `/config/compare/<service>/<server_ip>/show` endpoint in `app/modules/config/config.py` at line 362. There, user input is directly formatted into a template string that is executed as a system command, enabling arbitrary command execution. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Authenticated users with low privileges can exploit this vulnerability remotely over the network, requiring low attack complexity and no user interaction. Exploitation allows attackers to execute arbitrary system commands on the host running the Roxy-WI application, potentially resulting in high impacts to confidentiality, integrity, and availability, such as full system compromise.
Roxy-WI version 8.2.6.3 resolves the issue, as documented in the project's security advisory (GHSA-jvmv-cw47-jh77), release notes for v8.2.6.3, and the fixing commit (a10ac7306c252014f97a7213db4a9470300fa064). Practitioners should upgrade to this version or later to mitigate the vulnerability.
Details
- CWE(s)