roxy-wi Cyber Security Vulnerability Stats and Metrics

Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op (tuple-membership bug)

CVE-2026-45569

Roxy-wiRoxy-wi8.1HIGH

Roxy-WI: Authentication bypass via 'api' substring in URL + unauthenticated /api/gpt

CVE-2026-45567

Roxy-wiRoxy-wi8.3HIGH

Roxy-WI: Open redirect on /login?next= via basic-auth userinfo syntax bypass

CVE-2026-45566

Roxy-wiRoxy-wi6.1MEDIUM

Roxy-WI: EscapedString validator skips its '..' block when stripping (root cause for several path-traversal/RCE vectors)

CVE-2026-45565

Roxy-wiRoxy-wi8.1HIGH

Roxy-WI: Authenticated RCE via 'configver' URL parameter (os.system sink in /config/versions/.../save)

CVE-2026-45564

Roxy-wiRoxy-wi8.8HIGH

Roxy-WI: IDOR — any authenticated user can read another user's full action history

CVE-2026-45563

Roxy-wiRoxy-wi4.3MEDIUM

Roxy-WI: SSRF in /smon/agent/<endpoint>/<server_ip> reachable to cloud metadata IPs

CVE-2026-45561

Roxy-wiRoxy-wi6.5MEDIUM

Roxy-WI: Stored XSS in log viewer (wrap_line/highlight_word produce unescaped HTML)

CVE-2026-45560

Roxy-wiRoxy-wi6.1MEDIUM

Roxy-WI: LDAP injection in /user/ldap/<username> (admin-only)

CVE-2026-45559

Roxy-wiRoxy-wi4.9MEDIUM

Roxy-WI: Authenticated RCE on every managed HAProxy load balancer via `option` field config injection in section save

CVE-2026-45558

Roxy-wiRoxy-wi9.9CRITICAL

Roxy-WI: Authenticated arbitrary file write on every managed load balancer (and downstream RCE) via WAF rule save `config_file_name`

CVE-2026-45556

Roxy-wiRoxy-wi9.9CRITICAL

Roxy-WI: IDOR on PUT /smon/check — any user can rewrite any tenant's monitoring URL/IP/body

CVE-2026-45550

Roxy-wiRoxy-wi9.1CRITICAL

Roxy-WI: Authorization bypass on POST /smon/agent/action/<action> — guest can stop or restart smon-agent on any host

CVE-2026-45549

Roxy-wiRoxy-wi8.5HIGH

Roxy-WI: Cross-tenant authorization bypass on /install/* — guest can run Ansible / SSH on every registered server

CVE-2026-45552

Roxy-wiRoxy-wi9.9CRITICAL

Remote Code Execution Vulnerability in Roxy-WI by Roxy-WI

CVE-2026-33208

Roxy-wiRoxy-wi7.4HIGH

SQL Injection Vulnerability in Roxy-WI Web Management Interface

CVE-2026-33078

Roxy-wiRoxy-wi8.9HIGH

Arbitrary File Read Vulnerability in Roxy-WI Web Interface for Server Management

CVE-2026-33077

Roxy-wiRoxy-wi7.7HIGH

Remote Code Execution Vulnerability in Roxy-WI Web Interface for Haproxy, Nginx, Apache, and Keepalived

CVE-2026-33076

Roxy-wiRoxy-wi8.9HIGH

LDAP Injection Vulnerability in Roxy-WI Web Interface by Roxy-WI

CVE-2026-33432

Roxy-wiRoxy-wi7.7HIGH

Path Traversal Vulnerability in Roxy-WI Web Interface for Server Management

CVE-2026-33431

Roxy-wiRoxy-wi5.7MEDIUM

Command Injection Vulnerability in Roxy-WI Web Interface by Roxy-WI

CVE-2026-27811

Roxy-wiRoxy-wi8.8HIGH

Command Injection Vulnerability in Roxy-WI Web Interface for Server Management

CVE-2026-22265

Roxy-wiRoxy-wi7.5HIGH

OS Command Injection Vulnerability in Roxy-WI by Roxy-WI Team

CVE-2024-13129

Roxy-WI TeamRoxy-wi👾🟡8.7HIGH

OS Command Injection Through Port Scanning on Roxy-WI Web Interface

CVE-2024-43804

Roxy-wiRoxy-wi8.8HIGH

SQL Injection Vulnerability in Roxy-WI by Hap-Wi

CVE-2021-38168

Roxy-wiRoxy-wi8.8HIGH

roxy-wi Summary

Vulnerability Published:

Sort By:

10 June 2026

Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op (tuple-membership bug)

Roxy-WI: Authentication bypass via 'api' substring in URL + unauthenticated /api/gpt

Roxy-WI: Open redirect on /login?next= via basic-auth userinfo syntax bypass

Roxy-WI: EscapedString validator skips its '..' block when stripping (root cause for several path-traversal/RCE vectors)

Roxy-WI: Authenticated RCE via 'configver' URL parameter (os.system sink in /config/versions/.../save)

Roxy-WI: IDOR — any authenticated user can read another user's full action history

Roxy-WI: SSRF in /smon/agent/<endpoint>/<server_ip> reachable to cloud metadata IPs

Roxy-WI: Stored XSS in log viewer (wrap_line/highlight_word produce unescaped HTML)

Roxy-WI: LDAP injection in /user/ldap/<username> (admin-only)

Roxy-WI: Authenticated RCE on every managed HAProxy load balancer via `option` field config injection in section save

Roxy-WI: Authenticated arbitrary file write on every managed load balancer (and downstream RCE) via WAF rule save `config_file_name`

Roxy-WI: IDOR on PUT /smon/check — any user can rewrite any tenant's monitoring URL/IP/body

Roxy-WI: Authorization bypass on POST /smon/agent/action/<action> — guest can stop or restart smon-agent on any host

Roxy-WI: Cross-tenant authorization bypass on /install/* — guest can run Ansible / SSH on every registered server

24 April 2026

Remote Code Execution Vulnerability in Roxy-WI by Roxy-WI

SQL Injection Vulnerability in Roxy-WI Web Management Interface

Arbitrary File Read Vulnerability in Roxy-WI Web Interface for Server Management

Remote Code Execution Vulnerability in Roxy-WI Web Interface for Haproxy, Nginx, Apache, and Keepalived

20 April 2026

LDAP Injection Vulnerability in Roxy-WI Web Interface by Roxy-WI

Path Traversal Vulnerability in Roxy-WI Web Interface for Server Management

17 March 2026

Command Injection Vulnerability in Roxy-WI Web Interface by Roxy-WI

15 January 2026

Command Injection Vulnerability in Roxy-WI Web Interface for Server Management

3 January 2025

OS Command Injection Vulnerability in Roxy-WI by Roxy-WI Team

29 August 2024

OS Command Injection Through Port Scanning on Roxy-WI Web Interface

7 August 2021

SQL Injection Vulnerability in Roxy-WI by Hap-Wi