CVE-2026-45561
6.5 MEDIUMRoxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers
Published: 2026-06-10 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-918
Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the /smon/agent/{version,uptime,status,checks}/<server_ip> family of routes takes the URL path component verbatim into requests.get(f'http://{server_ip}:{agent_port}/...'). The path component is constrained only by Flask's default URL converter, which permits any value (including IPv4 literals like 169.254.169.254, RFC1918 ranges, and 127.0.0.1). At time of publication, there are no publicly available patches.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-50131 — Fedify is a TypeScript library for building federated server apps powered by ActivityPub (8.6 HIGH)
- CVE-2026-50127 — Weblate is a web based localization tool (5.9 MEDIUM)
- CVE-2026-46683 — Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page
- CVE-2026-20252 — In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.1... (7.6 HIGH)
- CVE-2026-48858 — Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvali...