Vulnerability in Roxy-WI Web Interface for Managing Server Technologies
CVE-2026-45566
6.1MEDIUM
What is CVE-2026-45566?
The Roxy-WI web interface, designed for managing Haproxy, Nginx, Apache, and Keepalived servers, has a significant vulnerability in its login flow. Versions up to 8.2.6.4 fail to properly block certain URLs, allowing attackers to craft malicious redirect links. By exploiting this flaw, an attacker could manipulate the 'next' URL parameter to redirect users to potentially harmful sites. This occurs because the login flow incorrectly validates incoming URLs and does not account for special syntax that includes user info. As a result, malicious URLs can be constructed in a way that circumvents intended restrictions, posing a serious risk to users. Currently, there are no publicly available patches to mitigate this issue.
Affected Version(s)
roxy-wi <= 8.2.6.4
