CVE-2026-45566
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. In versions 8.2.6.4 and prior, the login flow improperly handles URLs, allowing for an open redirect attack.
Risk Assessment
An attacker could exploit this vulnerability to redirect users to malicious sites, potentially leading to data theft or malware. Organizations should be aware of the risks associated with unauthorized access to their systems.
Recommendation
It is recommended to update Roxy-WI to the latest version as soon as patches become available. Additionally, implementing extra URL validation mechanisms in the login process is advisable.
Original NVD description (English source)
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://{request.host}{next_url} and the JS client redirects via window.location.replace(). The block does not consider the userinfo@host syntax. [email protected]/path produces https://[email protected]/path, which all modern browsers route to evil.example. At time of publication, there are no publicly available patches.

