CVE-2026-45565 Roxy-WI: EscapedString validator skips its '..' block when stripping (root cause for several path-traversal/RCE vectors)

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, EscapedString app/modules/roxywi/classmodels.py:16-30 is the centralised Pydantic validator used on dozens of fields including SSH credential name, username, description, etc. Its...

CVE-2025-59140

backlash parses collected strings with escapes. On 8 September 2025, the npm publishing account for backslash was taken over after a phishing attack. Version 0.2.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect...

CVE-2023-40121

In appendEscapedSQLString of DatabaseUtils.java, there is a possible SQL injection due to unsafe deserialization. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation...

Hostname spoofing via backslashes in URL

Overview Impact urijs before version 1.19.6 is affected by hostname spoofing issue. If using urijs to determine a URL's hostname, the hostname can be spoofed by using a backslash \ character as part of the scheme delimiter, e.g. scheme:/\hostname. If the hostname is used in security decisions, th...