Main Vulnerability Database Vulnerabilities #VU126547

Path traversal in Roxy-WI - CVE-2026-33431

Published: April 20, 2026

Vulnerability identifier: #VU126547

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33431

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Roxy-WI

Affected software:
Roxy-WI

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to path traversal in the POST /config//show API endpoint when processing the user-supplied configver parameter. A remote user can send a specially crafted request containing ../ sequences to disclose sensitive information.

The issue affects authenticated users regardless of their assigned role, and exposed files may include the application configuration and SSH private keys accessible to the web application process.

How to mitigate CVE-2026-33431

Install security update from vendor's website.

Sources

https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-w3c9-36jf-qrw4

Path traversal in Roxy-WI - CVE-2026-33431

Detailed vulnerability description

How to mitigate CVE-2026-33431

Sources

Please verify you're human