CVE-2026-33431

MEDIUM
Published Apr 20, 2026 Modified Apr 24, 2026 CWE-24

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config/<service>/show API endpoint accepts a configver parameter that is directly appended to a base directory path to construct a local file path, which is subsequently opened and its contents returned to the caller. The existing path traversal guard only inspects the base directory variable (which is never user-controlled) and entirely ignores the user-supplied configver value. An authenticated attacker can supply a configver value containing `../` sequences to escape the intended directory and read arbitrary files accessible to the web application process. Version 8.2.6.4 contains a patch for the issue.

CVSS v3.1 Score

6.5
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS — Exploit Prediction

0.0005
Probability of exploitation
0.15%
Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-24 CWE-24

Affected Products

Vendor Product
roxy-wi roxy-wi

References

Frequently Asked Questions

What is CVE-2026-33431? +
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config/<service>/show API endpoint accepts a configver parameter that is directly appended to a base directory path to construct a local file path, which is subsequently opened and its contents returned to the caller. The existing path traversal guard only inspects the base directory variable (which is never user-controlled) and entirely ignores the user-supplied configver value. An authenticated attacker can supply a configver value containing `../` sequences to escape the intended directory and read arbitrary files accessible to the web application process. Version 8.2.6.4 contains a patch for the issue. It has a CVSS v3.1 base score of 6.5 (MEDIUM).
How severe is CVE-2026-33431? +
CVE-2026-33431 has a CVSS v3.1 score of 6.5 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance. The EPSS score is 0.0005, placing it in the 0th percentile for exploitation probability.
What products are affected by CVE-2026-33431? +
CVE-2026-33431 affects products from roxy-wi, specifically: roxy-wi. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2026-33431? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-59342

esm.sh is a nobuild content delivery network(CDN) for modern web development. In 136 and earlier, a path-traversal flaw in the …
CVE-2023-6699 9.1

The WP Compress – Image Optimizer [All-In-One] plugin for WordPress is vulnerable to Directory Traversal in all versions up to, …
CVE-2025-61318 9.1

Emlog Pro 2.5.20 has an arbitrary file deletion vulnerability. This vulnerability stems from the admin/template.php component and the admin/plugin.php component. …
CVE-2024-23657 8.8

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Nuxt Devtools is missing …
CVE-2025-54769 8.8

An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in …
CVE-2025-53513 8.8

The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2026-33431 — free, no signup required.

Start Free Scan