Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config/<service>/show API endpoint accepts a configver parameter that is directly appended to a base directory path to construct a local file path, which is subsequently opened and its contents returned to the caller. The existing path traversal guard only inspects the base directory variable (which is never user-controlled) and entirely ignores the user-supplied configver value. An authenticated attacker can supply a configver value containing `../` sequences to escape the intended directory and read arbitrary files accessible to the web application process. Version 8.2.6.4 contains a patch for the issue.

INFO

Published Date :

2026-04-20T20:24:15.319Z

Last Modified :

2026-04-21T13:42:19.802Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33431 vulnerability.

Vendors Products
Roxy-wi
  • Roxy-wi
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33431.

URL Resource
https://github.com/roxy-wi/roxy-wi/commit/d4d100067dd0ee04317f05d3b51be8fcfdc3f802 cve-icon cve-icon
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-w3c9-36jf-qrw4 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability