CVE-2026-45565 Roxy-WI: EscapedString validator skips its '..' block when stripping (root cause for several path-traversal/RCE vectors)

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, EscapedString app/modules/roxywi/classmodels.py:16-30 is the centralised Pydantic validator used on dozens of fields including SSH credential name, username, description, etc. Its...

CVE-2026-45565 Roxy-WI: EscapedString validator skips its '..' block when stripping (root cause for several path-traversal/RCE vectors)

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, EscapedString app/modules/roxywi/classmodels.py:16-30 is the centralised Pydantic validator used on dozens of fields including SSH credential name, username, description, etc. Its...

CVE-2026-45565

CVE-2026-45565 affects Roxy-WI up to 8.2.6.4. The issue lies in the EscapedString Pydantic validator (app/modules/roxywi/class_models.py:16-30): its if/elif/else path strips metacharacters but does not apply the surrounding .. block, allowing an attacker to append a single ;, &, |, $, or ` to a p...

CVE-2026-45556

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf///rule//save accepts a configfilename form field that is passed straight through to configmod.masterslaveuploadandrestart... as the destination path. The validation chai...

CVE-2026-45558

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints POST /api/service/haproxy//section/ and the PUT / global / defaults variants accept a JSON option field that is not validated, not escaped, and ...

Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities

Fortinet, Ivanti, and SAP have released security updates to address multiple critical security vulnerabilities that could result in arbitrary code execution and information disclosure. The security flaw patched by Fortinet relates to a command injection vulnerability in FortiSandbox, FortiSandbox...

CVE-2026-49740

TYPO3's cache frontend VariableFrontend and persistent key-value store Registry deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend cache store or sysregistry database table could inject a crafted serialized...

Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated RCE

A high-severity security flaw in Langflow, an open-source low-code platform to build artificial intelligence AI applications, has come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability in question is CVE-2026-5027 CVSS score: 8.8, a case of path...

CVE-2026-9279

Logseq exposes an IPC handler that allows the renderer process to execute shell commands. While an allowlist restricts the command name e.g. git, pandoc, grep, the argument string is concatenated with the command and passed to childprocess.spawn with the shell: true option, allowing shell...

CVE-2026-48860 Distribution-over-TLS LAN allowlist silently bypassed due to sockname/peername confusion in inet_tls_dist

Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl inettlsdist module allows unauthenticated bypass of the distribution-over-TLS LAN allowlist. The inettlsdist:checkip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead...

CVE-2026-41283

A flaw was found in OpenStack Mistral. When the API is exposed, a remote attacker can exploit certain endpoints to achieve arbitrary code execution. This allows the attacker to run malicious code on the system and potentially exfiltrate sensitive service credentials. Mitigation Restrict network...

CVE-2026-52751

Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthenticated remote code execution. Attackers can craft a malicious project file with a ghidra:// URL that, when opened via File → Open Project, deserializes...

CVE-2026-45564 Roxy-WI: Authenticated RCE via 'configver' URL parameter (os.system sink in /config/versions/.../save)

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /config/versions////save interpolates the URL-path configver parameter directly into a config-version path that ends up at os.systemf"dos2unix -q cfg". configver is not run...

EUVD-2026-36039

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints POST /api/service/haproxy//section/ and the PUT / global / defaults variants accept a JSON option field that is not validated, not escaped, and ...

CVE-2026-45558

Roxy-WI versions 8.2.6.4 and earlier expose a vulnerability in the HAProxy config generation pathway. The HAProxy section-save endpoints (POST /api/service/haproxy//section/ and related PUT /global/defaults) accept a JSON option field that is not validated or escaped and is rendered verbatim into...

CVE-2026-45558 Roxy-WI: Authenticated RCE on every managed HAProxy load balancer via `option` field config injection in section save

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints POST /api/service/haproxy//section/ and the PUT / global / defaults variants accept a JSON option field that is not validated, not escaped, and ...

CVE-2026-45556 Roxy-WI: Authenticated arbitrary file write on every managed load balancer (and downstream RCE) via WAF rule save `config_file_name`

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf///rule//save accepts a configfilename form field that is passed straight through to configmod.masterslaveuploadandrestart... as the destination path. The validation chai...

EUVD-2026-36038

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf///rule//save accepts a configfilename form field that is passed straight through to configmod.masterslaveuploadandrestart... as the destination path. The validation chai...

CVE-2026-45556

Roxy-WI (versions <= 8.2.6.4) is affected by CVE-2026-45556. The vulnerability arises in POST /waf///rule//save: the config_file_name field is passed to config_mod.master_slave_upload_and_restart(...) as the destination path. The validation only checks that the path contains a service substrin...

CVE-2026-45556 Roxy-WI: Authenticated arbitrary file write on every managed load balancer (and downstream RCE) via WAF rule save `config_file_name`

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf///rule//save accepts a configfilename form field that is passed straight through to configmod.masterslaveuploadandrestart... as the destination path. The validation chai...