CVE-2026-33078

216.73.217.22

· Published 24/04/2026 03:16 · Modified 24/04/2026 14:50

Labels: CVE-2026-33078 2026-04-24 CVE-2026-33078 CWE-89 [email protected]

Essential information

Published: 24/04/2026 03:16
Modified: 24/04/2026 14:50
Author: —
Creator: —
CVSS: 8.9 HIGH (v3) 8.9 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/config/routes.py. The server_ip parameter, sourced from the URL path, is passed unsanitized through multiple function calls and ultimately interpolated into a SQL query string using Python string formatting, allowing attackers to execute arbitrary SQL commands. Version 8.2.6.4 fixes the issue.

NVD status

Status: Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
roxy-wi / roxy-wi	`cpe:2.3:a:roxy-wi:roxy-wi:<8.2.6.4:::::::*`
haproxy / haproxy	`cpe:2.3:a:haproxy:haproxy::::::::`
nginx / nginx	`cpe:2.3:a:nginx:nginx::::::::`
apache / http server	`cpe:2.3:a:apache:http_server::::::::`
keepalived / keepalived	`cpe:2.3:a:keepalived:keepalived::::::::`