CVE-2026-45563

4.3 MEDIUM

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers

Published: 2026-06-10 · Last updated: 2026-06-10

Severity and scoring

CVSS: 4.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-639, CWE-863

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user — even a guest in an unrelated group — can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-49219 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
CVE-2026-53738 — Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler (8.1 HIGH)
CVE-2026-44692 — Sharp is a content management framework built for Laravel as a package (7.7 HIGH)
CVE-2026-49824 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (8.5 HIGH)
CVE-2026-49823 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (7.7 HIGH)