7 matches found
CVE-2026-45559
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, getldapemail app/modules/roxywi/user.py:120-157 builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim — no checkAjaxInput, no...
EUVD-2026-36040
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, getldapemail app/modules/roxywi/user.py:120-157 builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim — no checkAjaxInput, no...
EUVD-2026-36037
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check app/routes/smon/routes.py:117-138 gates only on roxywicommon.checkusergroupforflask — which validates that the caller has some group, not that the target checkid...
CVE-2026-22265 Roxy-WI has a Command Injection via grep parameter in logs.py allows authenticated RCE
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py...
PT-2026-3072
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in app/modules/roxywi/logs.py...
Roxy-WI 操作系统命令注入漏洞
Roxy-WI is a Roxy-WI open source web interface for managing Haproxy, Nginx and Keepalived servers. An operating system command injection vulnerability exists in Roxy-WI 8.1.3 and earlier versions, which stems from the parameter action/service in the actionservice function of the file...
CVE-2022-31125
CVE-2022-31125: Roxy-WI authentication bypass vulnerability allowing remote, unauthenticated access to admin functionality via a crafted HTTP request. Affected: Roxy-WI before 6.1.1.0. Exploitation exists (exploit-db/poC references). Remediation: upgrade to version 6.1.1.0 or later; exploit examp...