CVE-2026-22265
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22265
EUVD
EUVD-2026-2858
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
roxy-wi roxy-wi to 8.2.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22265 is a command injection vulnerability in the Roxy-WI web interface used for managing servers like Haproxy, Nginx, Apache, and Keepalived. The flaw exists in the log viewing functionality where an input parameter called 'grep' is used unsafely in a system command. Although one instance of the 'grep' input is sanitized, another instance is used raw without proper sanitization, allowing authenticated users to inject arbitrary system commands. This can be exploited by sending specially crafted input containing newline characters to execute commands as root on the syslog server. [3]

Impact Analysis

This vulnerability allows authenticated users to execute arbitrary system commands with root privileges on the syslog server. This can lead to full system compromise, including unauthorized access, data manipulation, or disruption of services. The impact is high on confidentiality, integrity, and availability of the affected system. [3]

Detection Guidance

Detection involves checking if your Roxy-WI installation is a vulnerable version prior to 8.2.8.2 and if the syslog server feature is enabled (syslog_server_enable=1). You can monitor logs or network traffic for suspicious POST requests to the logs endpoint containing newline characters in the grep parameter, which may indicate attempted command injection. Specific commands are not provided in the resources, but reviewing access logs for POST requests with unusual grep parameters or using intrusion detection systems to flag such patterns is recommended. [3]

Mitigation Strategies

Immediate mitigation steps include upgrading Roxy-WI to version 8.2.8.2 or later, which fixes the vulnerability by properly sanitizing input and removing the raw grep parameter from command execution. Additionally, ensure that the checkAjaxInput() function blocks newline and other special characters by extending its blocklist to include characters like \n, \r, and <>. If upgrading immediately is not possible, restrict access to the log viewing functionality to trusted users only and disable the syslog server feature (set syslog_server_enable to 0) to reduce risk. [2, 3, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22265. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart