CVE Catalog

CVE-2026-45566

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

8th percentile — higher than 8% of all known CVEs

Summary

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. In versions 8.2.6.4 and prior, the login flow improperly handles URLs, allowing for an open redirect attack.

Risk Assessment

An attacker could exploit this vulnerability to redirect users to malicious sites, potentially leading to data theft or malware. Organizations should be aware of the risks associated with unauthorized access to their systems.

Recommendation

It is recommended to update Roxy-WI to the latest version as soon as patches become available. Additionally, implementing extra URL validation mechanisms in the login process is advisable.

Original NVD description (English source)

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://{request.host}{next_url} and the JS client redirects via window.location.replace(). The block does not consider the userinfo@host syntax. [email protected]/path produces https://[email protected]/path, which all modern browsers route to evil.example. At time of publication, there are no publicly available patches.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS