Plattform
nginx
Komponente
nginx
Behoben in
8.2.7
8.2.7
CVE-2026-27811 describes a Command Injection vulnerability discovered in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. This vulnerability allows authenticated users to execute arbitrary system commands on the application host, potentially leading to complete system compromise. The issue affects versions of Roxy-WI up to and including 8.2.6.3, and a fix is available in version 8.2.6.3.
The impact of CVE-2026-27811 is significant due to the ability to execute arbitrary system commands. A successful attacker could gain complete control over the server hosting Roxy-WI, enabling them to steal sensitive data, install malware, or pivot to other systems on the network. The vulnerability resides in the /config/compare/<service>/<server_ip>/show endpoint, where user input is directly incorporated into a template string without proper sanitization. This allows attackers to inject malicious commands that are then executed by the application. Given Roxy-WI's role in managing critical infrastructure components like Nginx and Haproxy, a compromise could disrupt services and impact availability.
CVE-2026-27811 was publicly disclosed on 2026-03-18. No known public exploits or active campaigns have been reported at the time of writing. The vulnerability is not currently listed on CISA KEV. The ease of exploitation, given the authenticated nature of the vulnerability and the direct command execution, warrants careful monitoring and prompt patching.
Organizations utilizing Roxy-WI to manage Nginx, Haproxy, Apache, or Keepalived servers are at risk. This includes DevOps teams, system administrators, and security engineers responsible for maintaining these infrastructure components. Shared hosting environments where Roxy-WI is deployed could expose multiple tenants to the vulnerability.
• linux / server:
journalctl -u roxy-wi | grep -i "command injection"• generic web:
curl -I http://<roxy-wi-ip>/config/compare/<service>/<server_ip>/show | grep -i "Content-Type: application/octet-stream"disclosure
Exploit-Status
EPSS
1.04% (77% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-27811 is to immediately upgrade Roxy-WI to version 8.2.6.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to filter requests targeting the /config/compare endpoint, specifically looking for suspicious characters or command patterns. Input validation on the server-side, even before the upgrade, can help reduce the attack surface. Regularly review Roxy-WI configuration and access controls to ensure only authorized users have access to sensitive functionality. After upgrading, confirm the fix by attempting to inject a simple command through the /config/compare endpoint; it should be rejected.
Actualice Roxy-WI a la versión 8.2.6.3 o superior. Esta versión corrige la vulnerabilidad de inyección de comandos. La actualización se puede realizar a través de los canales de distribución habituales del software.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27811 is a Command Injection vulnerability in Roxy-WI versions up to 8.2.6.3, allowing authenticated users to execute arbitrary system commands.
You are affected if you are using Roxy-WI versions 8.2.6.3 or earlier. Immediately assess your deployments.
Upgrade Roxy-WI to version 8.2.6.3 or later. As a temporary measure, implement WAF rules to filter suspicious requests.
No active exploitation has been confirmed at this time, but the vulnerability's ease of exploitation warrants close monitoring.
Refer to the Roxy-WI project's official website and GitHub repository for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.