Lucene search
K

285 matches found

Cvelist
Cvelist
added 2026/06/10 1:59 p.m.37 views

CVE-2026-45549 Roxy-WI: Authorization bypass on POST /smon/agent/action/<action> — guest can stop or restart smon-agent on any host

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agentaction app/routes/smon/agentroutes.py:166-179 has decorators @bp.post'/agent/action/' and @jwtrequired only — no role check, no group ownership check on the serverip form...

8.5CVSS0.00199EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/10 1:59 p.m.7 views

CVE-2026-45549 Roxy-WI: Authorization bypass on POST /smon/agent/action/<action> — guest can stop or restart smon-agent on any host

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agentaction app/routes/smon/agentroutes.py:166-179 has decorators @bp.post'/agent/action/' and @jwtrequired only — no role check, no group ownership check on the serverip form...

8.5CVSS5.5AI score0.00199EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/10 1:59 p.m.12 views

EUVD-2026-36036

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agentaction app/routes/smon/agentroutes.py:166-179 has decorators @bp.post'/agent/action/' and @jwtrequired only — no role check, no group ownership check on the serverip form...

8.5CVSS5.5AI score0.00199EPSS
Exploits0References1
CVE
CVE
added 2026/06/10 1:59 p.m.27 views

CVE-2026-45549

CVE-2026-45549 affects Roxy-WI web interface for managing HAProxy/Nginx/Apache/Keepalived. In versions 8.2.6.4 and prior, the code path agent_action (app/routes/smon/agent_routes.py:166-179) uses @bp.post('/agent/action/') and @jwt_required() with no role or group ownership check on the server_ip...

8.5CVSS5.5AI score0.00199EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/10 1:59 p.m.36 views

CVE-2026-45552 Roxy-WI: Cross-tenant authorization bypass on /install/* — guest can run Ansible / SSH on every registered server

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.beforerequest → @jwtrequired app/routes/install/routes.py:36-39. The individual endpoints installexporter, installwaf, installgeoip,...

9.9CVSS0.00267EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/10 1:59 p.m.8 views

CVE-2026-45552 Roxy-WI: Cross-tenant authorization bypass on /install/* — guest can run Ansible / SSH on every registered server

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.beforerequest → @jwtrequired app/routes/install/routes.py:36-39. The individual endpoints installexporter, installwaf, installgeoip,...

9.9CVSS5.5AI score0.00267EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/10 1:59 p.m.11 views

EUVD-2026-36035

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.beforerequest → @jwtrequired app/routes/install/routes.py:36-39. The individual endpoints installexporter, installwaf, installgeoip,...

9.9CVSS5.5AI score0.00267EPSS
Exploits0References1
CVE
CVE
added 2026/06/10 1:59 p.m.26 views

CVE-2026-45552

CVE-2026-45552 affects Roxy-WI web interface (versions up to 8.2.6.4). The install blueprint allows bp.before_request → @jwt_required(), but several endpoints under /install/* (install_exporter, install_waf, install_geoip, check_geoip, get_exporter_version, get_task_status) lack admin/ownership c...

9.9CVSS5.5AI score0.00267EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.35 views

PT-2026-48436

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf///rule//save accepts a config file name form field that is passed straight through to config mod.master slave upload and restart... as the destination path. The validati...

9.9CVSS5.5AI score0.00372EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.14 views

PT-2026-48434

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check app/routes/smon/routes.py:117-138 gates only on roxywi common.check user group for flask — which validates that the caller has some group, not that the target chec...

9.1CVSS5.8AI score0.00196EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.15 views

PT-2026-48435

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.before request → @jwt required app/routes/install/routes.py:36-39. The individual endpoints install exporter, install waf, install geoip,...

9.9CVSS5.5AI score0.00267EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.18 views

PT-2026-48439

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrap line app/modules/common/common.py:181-186 and highlight word app/modules/common/common.py:188-192 build raw HTML by string concatenation with no escaping. The frontend...

6.1CVSS5.4AI score0.00149EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.17 views

PT-2026-48460

Name of the Vulnerable Software and Affected Versions Roxy-WI versions prior to 8.2.6.5 Description A path-traversal issue exists in the web interface used for managing Haproxy, Nginx, Apache, and Keepalived servers. A security check implemented in the config.py file within the app/modules/config...

8.1CVSS5.2AI score0.00316EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.15 views

PT-2026-48458

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://request.hostnext url and the JS client redirects via...

6.1CVSS5.5AI score0.00153EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.13 views

PT-2026-48457

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, EscapedString app/modules/roxywi/class models.py:16-30 is the centralised Pydantic validator used on dozens of fields including SSH credential name, username, description, etc. It...

8.1CVSS5.5AI score0.00304EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/10 12:0 a.m.15 views

Roxy-WI 跨站脚本漏洞

Roxy-WI is an open-source web interface designed for managing Haproxy, Nginx, and Keepalived servers. Versions of Roxy-WI 8.2.6.4 and earlier contained a cross-site scripting vulnerability. This vulnerability stemmed from the lack of escaping of the wrapline and highlightword functions when...

6.1CVSS5.5AI score0.00149EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/10 12:0 a.m.15 views

Roxy-WI 输入验证错误漏洞

Roxy-WI is an open-source web interface designed for managing Haproxy, Nginx, and Keepalived servers. Versions of Roxy-WI 8.2.6.4 and earlier contain a vulnerability related to input validation errors. This vulnerability stems from HAProxy saving unvalidated and unescaped JSON field values direct...

9.9CVSS6AI score0.00439EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/10 12:0 a.m.14 views

Roxy-WI 安全漏洞

Roxy-WI is an open-source web interface designed for managing Haproxy, Nginx, and Keepalived servers. Roxy-WI versions 8.2.6.4 and earlier contain security vulnerabilities. These vulnerabilities stem from a lack of role checks and group ownership checks on the agentaction endpoint. Any...

8.5CVSS5.3AI score0.00199EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/10 12:0 a.m.16 views

Roxy-WI 输入验证错误漏洞

Roxy-WI is an open-source web interface designed for managing Haproxy, Nginx, and Keepalived servers. Versions of Roxy-WI 8.2.6.4 and earlier contain a vulnerability related to input validation errors. This vulnerability stems from the POST /waf///rule//save endpoint accepting the configfilename...

9.9CVSS5.5AI score0.00372EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/10 12:0 a.m.15 views

Roxy-WI 路径遍历漏洞

Roxy-WI is an open-source web interface designed for managing Haproxy, Nginx, and Keepalived servers. Versions of Roxy-WI 8.2.6.4 and earlier contain a path traversal vulnerability. This vulnerability stems from the use of metagroup tests instead of substring containment in path traversal checks,...

8.1CVSS5.3AI score0.00316EPSS
Exploits0References1
Rows per page
Query Builder