Remote Code Execution Vulnerability in Roxy-WI Web Interface for Load Balancers
CVE-2026-45556

9.9CRITICAL

Key Information:

Vendor

Roxy-wi

Status
Vendor
CVE Published:
10 June 2026

What is CVE-2026-45556?

A vulnerability in Roxy-WI, specifically in the management of load balancers like Haproxy, Nginx, Apache, and Keepalived, allows an attacker to achieve remote code execution. The flaw arises from insecure handling of the 'config_file_name' form field, which allows arbitrary path traversal. This misconfiguration fails to properly validate the destination path, enabling the attacker to craft malicious filenames that lead to the execution of arbitrary scripts with root privileges on the load balancer. Effective exploitation can result in significant compromises, allowing attackers to insert cron jobs that are executed under high privileges. At the time of reporting, there are no known patches available to remediate this vulnerability.

Affected Version(s)

roxy-wi <= 8.2.6.4

References

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.