Injection Vulnerability in Roxy-WI Web Interface for HAProxy and Nginx
CVE-2026-45558

9.9CRITICAL

Key Information:

Vendor

Roxy-wi

Status
Vendor
CVE Published:
10 June 2026

What is CVE-2026-45558?

The Roxy-WI web interface, used for managing HAProxy, Nginx, and Apache servers, is susceptible to an unvalidated JSON input vulnerability. In versions up to 8.2.6.4, certain endpoints allow authenticated users to inject arbitrary HAProxy directives directly into the generated configuration files. This occurs through unescaped input rendering in Ansible templates, enabling potential remote code execution on affected load balancers. As a result, an attacker with a specific user role can exploit this issue to execute commands during health checks, compromising the overall security of the load balancing infrastructure. At the time of this report, no patches are available to mitigate the risk.

Affected Version(s)

roxy-wi <= 8.2.6.4

References

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.