CVE-2026-45564
8.8 HIGHRoxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers
Published: 2026-06-10 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 8.8 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-78
Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /config/versions/<service>/<server_ip>/<configver>/save interpolates the URL-path configver parameter directly into a config-version path that ends up at os.system(f"dos2unix -q {cfg}"). configver is not run through EscapedString (Pydantic doesn't validate path segments declared as str) and the surrounding .. block is the broken tuple-membership patch from GHSA-vapt-004. An authenticated user with role <= 3 ("user") therefore reaches a bin/sh -c command-injection sink. At time of publication, there are no publicly available patches.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-49219 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
- CVE-2026-42563 — Dulwich is a pure-Python implementation of the Git file formats and protocols
- CVE-2026-0273 — A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrict...
- CVE-2026-6893 — A flaw was found in dracut (8.8 HIGH)
- CVE-2026-46643 — Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page