Roxy-WI has a Command Injection via grep parameter in logs.py...

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2.

Basic Information

ID CVE-2026-22265

Source GitHub_M

Published Jan 15, 2026 at 16:27

Modified Jan 15, 2026 at 16:46

Affected Product

Vendor roxy-wi

Product roxy-wi

Version < 8.2.8.2

Affected Versions roxy-wi roxy-wi < 8.2.8.2

CWE Classification

CWE-78

References

{
    "lastseen": "",
    "description": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2.",
    "published": "2026-01-15T16:27:52.446Z",
    "modified": "2026-01-15T16:46:11.782Z",
    "type": "cve",
    "title": "Roxy-WI has a Command Injection via grep parameter in logs.py allows authenticated RCE",
    "source": "GitHub_M",
    "references": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmmf-vh7m-rm47\nhttps://github.com/roxy-wi/roxy-wi/commit/f040d3338c4ba6f66127487361592e32e0188eee\nhttps://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.8.2",
    "id": "CVE-2026-22265",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "roxy-wi roxy-wi < 8.2.8.2",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "roxy-wi",
    "version": "< 8.2.8.2",
    "vendor": "roxy-wi",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Roxy-WI has a Command Injection via grep parameter in logs.py allows authenticated RCE_CVE-2026-22265