Skip to main content

Roxy-WI CVE-2026-45565

| EUVD-2026-36062 HIGH
Improper Input Validation (CWE-20)
2026-06-10 GitHub_M
Information Disclosure Nginx Apache
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 10, 2026 - 16:25 vuln.today
CVE Published
Jun 10, 2026 - 15:34 nvd
HIGH 8.1

DescriptionNVD

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, EscapedString (app/modules/roxywi/class_models.py:16-30) is the centralised Pydantic validator used on dozens of fields including SSH credential name, username, description, etc. Its if/elif/elif/else flow returns the metacharacter-stripped value without also enforcing the .. block. An attacker who appends a single ;, &, |, $, or backtick to a .. payload routes the value through the strip arm, where .. survives unblocked and the result is not shlex.quote()'d either. At time of publication, there are no publicly available patches.

Articles & Coverage 1

News 11 New Apache Vulnerabilities - 4 Critical, 7 High Severity Jun 10, 2026

AnalysisAI

Path traversal bypass in Roxy-WI versions 8.2.6.4 and earlier allows authenticated remote attackers to escape input sanitization in the EscapedString Pydantic validator and inject shell metacharacters alongside '..' sequences. The flaw stems from a flawed if/elif/elif/else control flow that strips metacharacters without re-enforcing the '..' block, and the result is never shlex-quoted before reaching downstream command contexts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach Roxy-WI web UI over network
Delivery
Authenticate as low-privileged operator
Exploit
Submit '..' payload with ';' or '|' to EscapedString field
Install
Strip branch removes metacharacter but leaves '..'
C2
Unquoted value reaches downstream shell command
Execute
Read or overwrite sensitive files on Roxy-WI host
Impact
Pivot to managed HAProxy/Nginx/Apache backends
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must hold valid low-privileged credentials to the Roxy-WI web interface (CVSS PR:L) and reach it over the network (AV:N), and must submit input through one of the dozens of fields routed through the EscapedString Pydantic validator in app/modules/roxywi/class_models.py - confirmed examples include SSH credential name, username, and description. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) reflects a network-reachable, low-complexity flaw requiring low-privilege authentication, with high confidentiality and integrity impact but no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privileged Roxy-WI operator account submits a crafted value such as 'name;../../../../etc/shadow' to a field validated by EscapedString - for example an SSH credential name or description. The validator's strip branch removes the trailing ';' but leaves '../../../../etc/shadow' intact, and because the result is not shlex-quoted it is interpolated into a downstream shell command that reads or operates on the path, exposing sensitive files or letting the attacker overwrite configuration consumed by the managed HAProxy/Nginx/Apache/Keepalived backends. …
Remediation No vendor-released patch identified at time of analysis - the advisory explicitly states no public patch exists. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Roxy-WI deployments and verify running versions; review access logs and audit trails for suspicious administrative activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-45552 CRITICAL
9.9 Jun 10

Privilege escalation and cross-tenant compromise in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - i
CVE-2026-45556 CRITICAL
9.9 Jun 10

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated users to write attacker-controlled cont
CVE-2026-45558 CRITICAL
9.9 Jun 10

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated low-privilege users (role ≤ 3) to injec
CVE-2026-45550 CRITICAL
9.1 Jun 10

Cross-tenant data tampering in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user to silently overwrite HT
CVE-2026-45564 HIGH
8.8 Jun 10

Authenticated command injection in Roxy-WI versions 8.2.6.4 and prior allows low-privileged users (role <= 3, 'user') to

Share

CVE-2026-45565 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy