Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrap_line (app/modules/common/common.py:181-186) and highlight_word (app/modules/common/common.py:188-192) build raw HTML by string concatenation with no escaping. The frontend (app/static/js/script.js, log-viewer paths) uses .html(data) / .append(data) to inject the response body. Anyone able to write a line into a managed HAProxy/Nginx access log (i.e. anyone who can send an HTTP request to the public LB) can land an <svg/onload=…> payload that executes when a Roxy-WI admin opens the log viewer. At time of publication, there are no publicly available patches.
AnalysisAI
Stored cross-site scripting in Roxy-WI 8.2.6.4 and prior allows any unauthenticated remote attacker who can send HTTP requests to a managed HAProxy or Nginx load balancer to inject malicious payloads into server access logs, which then execute in the browser of any Roxy-WI administrator who opens the log viewer. The vulnerability stems from unsanitized HTML concatenation in the Python backend combined with unsafe jQuery .html()/.append() rendering on the frontend - a classic stored XSS with a changed scope (S:C) because the attacker's input, written via the load balancer, achieves code execution in the privileged admin web UI context. No publicly available patches exist at time of analysis; no public exploit code or CISA KEV listing has been identified.
Technical ContextAI
Roxy-WI is a Python-based web management interface for HAProxy, Nginx, Apache, and Keepalived. The vulnerable code exists in two functions - wrap_line (app/modules/common/common.py lines 181-186) and highlight_word (app/modules/common/common.py lines 188-192) - which construct HTML output by raw string concatenation without applying any HTML entity encoding or sanitization. This backend output is then consumed by the frontend (app/static/js/script.js, log-viewer code paths) using jQuery's .html(data) and .append(data) methods, both of which parse and render HTML tags rather than treating the content as plain text. Because HAProxy and Nginx access logs include attacker-controlled fields such as request URI, User-Agent, and Referer headers, an adversary can write an SVG-based XSS payload (e.g., <svg/onload=fetch(...)>) directly into the log file. CWE-79 (Improper Neutralization of Input During Web Page Generation) captures the root cause: untrusted data flows from an external source through the log file into the HTML rendering layer without escaping at any point. The CPE string cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:* confirms the affected product family spans all platform variants of the application.
RemediationAI
No vendor-released patch has been identified at time of analysis; the GitHub advisory (https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-28m4-mmr2-83p6) explicitly states no publicly available patch exists as of publication. Organizations should monitor the Roxy-WI GitHub repository for a fix and upgrade immediately upon release. In the interim, apply the following specific compensating controls: first, restrict access to the Roxy-WI web interface to trusted internal networks or VPN-only access using firewall rules or a reverse proxy with IP allowlisting - this does not prevent log injection but prevents the injected payload from reaching an admin browser over an untrusted path; second, disable or restrict the log viewer feature within Roxy-WI if the application permits role-based feature restriction, directing administrators to review raw log files on the server via SSH instead, which avoids the vulnerable HTML rendering path; third, implement a web application firewall (WAF) rule that strips or encodes common XSS patterns (e.g., <svg, onerror=, onload=) in HTTP request fields (URI, User-Agent, Referer) before they reach the load balancer - note that this is an incomplete control as WAF bypass techniques exist and it does not address the root HTML injection flaw. Each workaround has trade-offs: IP restriction may block legitimate remote administration; disabling the log viewer reduces operational visibility; WAF filtering can be bypassed and may break benign requests with special characters.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36041