Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the…

Roxy-WI, a web interface for managing Haproxy, Nginx, Apache and Keepalived servers, contains a command injection vulnerability in versions prior to 8.2.6.3. The vulnerability exists in the /config/compare/<service>/<server_ip>/show endpoint where authenticated users can execute arbitrary system commands on the application host. The issue is located in app/modules/config/config.py at line 362, where user input is directly formatted in a template string that gets executed. The vulnerability has been fixed in version 8.2.6.3.