CVE-2026-33208
Published: 24 April 2026
Summary
CVE-2026-33208 is a high-severity OS Command Injection (CWE-78) vulnerability in Roxy-Wi Roxy-Wi. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the failure to sanitize the user-supplied 'words' parameter before embedding it into shell commands, preventing OS command injection.
Ensures timely remediation of the known flaw through patching to version 8.2.6.4, which fixes the command injection vulnerability.
Vulnerability scanning would identify the OS command injection (CWE-78) in the /config/<service>/find-in-config endpoint prior to exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in web interface enables exploitation of public-facing application (T1190) and arbitrary Unix shell command execution on remote servers (T1059.004).
NVD Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the /config/ < service > /find-in-config endpoint in Roxy-WI fails to sanitize the user-supplied words parameter before embedding it into a shell command…
more
string that is subsequently executed on a remote managed server via SSH. An authenticated attacker can inject arbitrary shell metacharacters to break out of the intended grep command context and execute arbitrary OS commands with sudo privileges on the target server, resulting in full Remote Code Execution (RCE). Version 8.2.6.4 patches the issue.
Deeper analysisAI
CVE-2026-33208 is an OS command injection vulnerability (CWE-78) in Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers. The issue affects versions prior to 8.2.6.4 and resides in the /config/<service>/find-in-config endpoint, which fails to sanitize the user-supplied "words" parameter. This parameter is embedded directly into a shell command string executed on a remote managed server via SSH, allowing injection of arbitrary shell metacharacters to escape the intended grep command context.
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables execution of arbitrary operating system commands with sudo privileges on the target managed server, leading to full remote code execution (RCE).
The vulnerability is patched in Roxy-WI version 8.2.6.4, as detailed in the project's GitHub commit (02f147d567a3cc8cf61a4b58ea4c2b7866a544de) and security advisory (GHSA-7m2h-gmvj-cjx2). Security practitioners should upgrade to the fixed version and review access controls for the affected endpoint to mitigate risks.
Details
- CWE(s)