CVE-2026-22265
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roxy-wi | roxy-wi | to 8.2.8.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22265 is a command injection vulnerability in the Roxy-WI web interface used for managing servers like Haproxy, Nginx, Apache, and Keepalived. The flaw exists in the log viewing functionality where an input parameter called 'grep' is used unsafely in a system command. Although one instance of the 'grep' input is sanitized, another instance is used raw without proper sanitization, allowing authenticated users to inject arbitrary system commands. This can be exploited by sending specially crafted input containing newline characters to execute commands as root on the syslog server. [3]
How can this vulnerability impact me? :
This vulnerability allows authenticated users to execute arbitrary system commands with root privileges on the syslog server. This can lead to full system compromise, including unauthorized access, data manipulation, or disruption of services. The impact is high on confidentiality, integrity, and availability of the affected system. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if your Roxy-WI installation is a vulnerable version prior to 8.2.8.2 and if the syslog server feature is enabled (syslog_server_enable=1). You can monitor logs or network traffic for suspicious POST requests to the logs endpoint containing newline characters in the grep parameter, which may indicate attempted command injection. Specific commands are not provided in the resources, but reviewing access logs for POST requests with unusual grep parameters or using intrusion detection systems to flag such patterns is recommended. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Roxy-WI to version 8.2.8.2 or later, which fixes the vulnerability by properly sanitizing input and removing the raw grep parameter from command execution. Additionally, ensure that the checkAjaxInput() function blocks newline and other special characters by extending its blocklist to include characters like \n, \r, and <>. If upgrading immediately is not possible, restrict access to the log viewing functionality to trusted users only and disable the syslog server feature (set syslog_server_enable to 0) to reduce risk. [2, 3, 1]