CVE-2026-33078

Vulnerability Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxy_section_save function in app/routes/config/routes.py. The server_ip parameter, sourced from the URL path, is passed unsanitized through multiple function calls and ultimately interpolated into a SQL query string using Python string formatting, allowing attackers to execute arbitrary SQL commands. Version 8.2.6.4 fixes the issue.

Vulnerability Details

Published Date

April 24, 2026

Last Modified

April 24, 2026

CWE ID

CWE-89

Source

NVD

Vendor

roxy-wi

Product

roxy-wi

External References

https://github.com/roxy-wi/roxy-wi/commit/aecc7971959092fa93e93531f1ffcde33524b031
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-jmj9-2c4q-849j

CVE-2026-33078

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment