EUVD-2026-36063Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://{request.host}{next_url} and the JS client redirects via window.location.replace(). The block does not consider the userinfo@host syntax. next=@evil.example/path produces https://victim.example@evil.example/path, which all modern browsers route to evil.example. At time of publication, there are no publicly available patches.
AnalysisAI
Open redirect in Roxy-WI versions 8.2.6.4 and prior allows unauthenticated remote attackers to silently redirect authenticated users to attacker-controlled domains by exploiting a bypass in the login flow's URL filter. The filter blocks next parameter values containing http:// or https:// substrings but does not account for RFC-3986 userinfo@host syntax; submitting next=@evil.example/path causes the server to construct https://victim.example@evil.example/path, which modern browsers route to evil.example. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must interact with a crafted Roxy-WI login URL containing a malicious `next` parameter value - confirmed by UI:R in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.1 Medium score reflects a network-accessible (AV:N), low-complexity (AC:L) attack requiring no privileges (PR:N) but needing user interaction (UI:R) with a Changed scope (S:C) and low confidentiality and integrity impact (C:L/I:L/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting a Roxy-WI administrator crafts a phishing email containing a login URL such as `https://victim.example/login?next=@evil.example/fake-login`. The administrator clicks the link, authenticates against the legitimate Roxy-WI instance, and is silently redirected to `evil.example` - which serves a credential-harvesting page mimicking Roxy-WI. … |
| Remediation | No vendor-released patch has been identified at time of analysis - the advisory explicitly states no publicly available patches exist as of publication. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire
Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara
Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP
Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to
DigestAuthMiddleware in aiohttp leaks HTTP Digest authentication credentials to attacker-controlled cross-origin redirec
Share
External POC / Exploit Code
Leaving vuln.today