Web Interface Vulnerability in Roxy-WI for Server Management
CVE-2026-45561

6.5MEDIUM

Key Information:

Vendor

Roxy-wi

Status
Vendor
CVE Published:
10 June 2026

What is CVE-2026-45561?

Roxy-WI, a web interface designed for managing servers such as Haproxy, Nginx, Apache, and Keepalived, contains a security flaw in the handling of specific URL paths. Versions up to 8.2.6.4 allow attackers to manipulate requests using the /smon/agent/{version,uptime,status,checks}/<server_ip> routes. The application processes the path component without adequate validation, enabling potential exploitation through crafted inputs. This could involve directing data to local or private IPs, posing significant risks, particularly when exploited. As of now, no patches are available to mitigate this vulnerability.

Affected Version(s)

roxy-wi <= 8.2.6.4

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.