QSearchQSearch

CVE-2026-45566

6.1 MEDIUM

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers

Published: 2026-06-10 · Last updated: 2026-06-10

Severity and scoring

CVSS
6.1 MEDIUM
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
CWE-601

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://{request.host}{next_url} and the JS client redirects via window.location.replace(). The block does not consider the userinfo@host syntax. next=@evil.example/path produces https://victim.example@evil.example/path, which all modern browsers route to evil.example. At time of publication, there are no publicly available patches.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-46616 Umbraco is an ASP.NET CMS (5.4 MEDIUM)
  • CVE-2026-48856 Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data
  • CVE-2026-53440 Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" secur... (4.3 MEDIUM)
  • CVE-2026-53437 Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenk... (4.3 MEDIUM)
  • CVE-2026-53436 Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenk... (4.3 MEDIUM)