Skip to main content

Roxy-WI CVE-2026-45560

| EUVDEUVD-2026-36041 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-10 GitHub_M
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 10, 2026 - 15:27 vuln.today
CVE Published
Jun 10, 2026 - 14:02 nvd
MEDIUM 6.1

DescriptionNVD

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrap_line (app/modules/common/common.py:181-186) and highlight_word (app/modules/common/common.py:188-192) build raw HTML by string concatenation with no escaping. The frontend (app/static/js/script.js, log-viewer paths) uses .html(data) / .append(data) to inject the response body. Anyone able to write a line into a managed HAProxy/Nginx access log (i.e. anyone who can send an HTTP request to the public LB) can land an <svg/onload=…> payload that executes when a Roxy-WI admin opens the log viewer. At time of publication, there are no publicly available patches.

AnalysisAI

Stored cross-site scripting in Roxy-WI 8.2.6.4 and prior allows any unauthenticated remote attacker who can send HTTP requests to a managed HAProxy or Nginx load balancer to inject malicious payloads into server access logs, which then execute in the browser of any Roxy-WI administrator who opens the log viewer. The vulnerability stems from unsanitized HTML concatenation in the Python backend combined with unsafe jQuery .html()/.append() rendering on the frontend - a classic stored XSS with a changed scope (S:C) because the attacker's input, written via the load balancer, achieves code execution in the privileged admin web UI context. No publicly available patches exist at time of analysis; no public exploit code or CISA KEV listing has been identified.

Technical ContextAI

Roxy-WI is a Python-based web management interface for HAProxy, Nginx, Apache, and Keepalived. The vulnerable code exists in two functions - wrap_line (app/modules/common/common.py lines 181-186) and highlight_word (app/modules/common/common.py lines 188-192) - which construct HTML output by raw string concatenation without applying any HTML entity encoding or sanitization. This backend output is then consumed by the frontend (app/static/js/script.js, log-viewer code paths) using jQuery's .html(data) and .append(data) methods, both of which parse and render HTML tags rather than treating the content as plain text. Because HAProxy and Nginx access logs include attacker-controlled fields such as request URI, User-Agent, and Referer headers, an adversary can write an SVG-based XSS payload (e.g., <svg/onload=fetch(...)>) directly into the log file. CWE-79 (Improper Neutralization of Input During Web Page Generation) captures the root cause: untrusted data flows from an external source through the log file into the HTML rendering layer without escaping at any point. The CPE string cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:* confirms the affected product family spans all platform variants of the application.

RemediationAI

No vendor-released patch has been identified at time of analysis; the GitHub advisory (https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-28m4-mmr2-83p6) explicitly states no publicly available patch exists as of publication. Organizations should monitor the Roxy-WI GitHub repository for a fix and upgrade immediately upon release. In the interim, apply the following specific compensating controls: first, restrict access to the Roxy-WI web interface to trusted internal networks or VPN-only access using firewall rules or a reverse proxy with IP allowlisting - this does not prevent log injection but prevents the injected payload from reaching an admin browser over an untrusted path; second, disable or restrict the log viewer feature within Roxy-WI if the application permits role-based feature restriction, directing administrators to review raw log files on the server via SSH instead, which avoids the vulnerable HTML rendering path; third, implement a web application firewall (WAF) rule that strips or encodes common XSS patterns (e.g., <svg, onerror=, onload=) in HTTP request fields (URI, User-Agent, Referer) before they reach the load balancer - note that this is an incomplete control as WAF bypass techniques exist and it does not address the root HTML injection flaw. Each workaround has trade-offs: IP restriction may block legitimate remote administration; disabling the log viewer reduces operational visibility; WAF filtering can be bypassed and may break benign requests with special characters.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Share

CVE-2026-45560 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy