Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, get_ldap_email (app/modules/roxywi/user.py:120-157) builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim - no checkAjaxInput, no LDAP escape - and inserted, a username like *)(mail=*)(cn=* injects additional clauses, allowing the admin to enumerate or harvest attributes outside the intended record. At time of publication, there are no publicly available patches.
AnalysisAI
LDAP injection in Roxy-WI 8.2.6.4 and prior exposes LDAP directory attributes to authenticated administrators who can manipulate search filter logic via the username URL path parameter. The vulnerable function get_ldap_email (app/modules/roxywi/user.py:120-157) constructs LDAP queries through unsanitized f-string concatenation, enabling injection of additional filter clauses such as *)(mail=*)(cn=* to enumerate or harvest attributes beyond the intended user record. No patch is available at time of publication, and no public exploit identified at time of analysis.
Technical ContextAI
Roxy-WI is a Python-based web management interface for load balancer and proxy server stacks including HAProxy, Nginx, Apache, and Keepalived. The vulnerability is classified as CWE-90 (Improper Neutralization of Special Elements Used in an LDAP Query), a class of injection flaw where LDAP metacharacters - parentheses, asterisks, null bytes - are used to alter the logical structure of a search filter. The specific sink is the get_ldap_email function at lines 120-157 of app/modules/roxywi/user.py, which takes a username from the URL path parameter and directly interpolates it into an LDAP search filter string using a Python f-string, bypassing the checkAjaxInput validation and any LDAP-specific escaping. The affected CPE is cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:* covering all versions up to and including 8.2.6.4. LDAP filter injection can manipulate AND/OR logic, broaden result sets, and return attributes outside the intended attribute scope, effectively allowing directory enumeration.
RemediationAI
No vendor-released patch has been identified at time of analysis - the advisory explicitly states no publicly available patches exist as of publication. Organizations should consider disabling LDAP authentication integration in Roxy-WI entirely if it is not operationally required, eliminating the vulnerable code path at the cost of LDAP-based user management. If LDAP authentication must remain active, restrict Roxy-WI administrative access to a minimal, audited set of trusted accounts and enforce network-layer controls limiting access to the Roxy-WI interface to known management hosts only - this does not eliminate the vulnerability but reduces the risk of a compromised admin account being used to exploit it. Monitor the GitHub repository at https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-2257-7mhp-grqp for patch availability and apply any released fix promptly once a patched version is published.
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at
A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6
Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p
Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re
A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P
Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au
Same weakness CWE-90 – LDAP Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36040