CVE-2026-33431

April 21, 2026, 4:20 p.m.

5.7
Medium

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config/<service>/show API endpoint accepts a configver parameter that is directly appended to a base directory path to construct a local file path, which is subsequently opened and its contents returned to the caller. The existing path traversal guard only inspects the base directory variable (which is never user-controlled) and entirely ignores the user-supplied configver value. An authenticated attacker can supply a configver value containing `../` sequences to escape the intended directory and read arbitrary files accessible to the web application process. Version 8.2.6.4 contains a patch for the issue.

Product(s) Impacted

Vendor Product Versions
Roxy-wi
  • Roxy-wi
  • <8.2.6.4
Haproxy
  • Haproxy
  • *
Nginx
  • Nginx
  • *
Apache
  • Apache
  • *
Keepalived
  • Keepalived
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-24
Path Traversal: '../filedir'
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a roxy-wi roxy-wi <8.2.6.4 / / / / / / /
a haproxy haproxy / / / / / / / /
a nginx nginx / / / / / / / /
a apache apache / / / / / / / /
a keepalived keepalived / / / / / / / /

References

https://github.com/roxy-wi/roxy-wi/commit/d4d100067dd0ee04317f05d3b51be8fcfdc3f802
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-w3c9-36jf-qrw4
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-w3c9-36jf-qrw4

Tags

[email protected]
CWE-24
2026-04-20
CVE-2026-33431

CVSS Score

5.7 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: LOW
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: PROOF_OF_CONCEPT

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: April 20, 2026, 9:16 p.m.
Last Modified: April 21, 2026, 4:20 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.