Lucene search
K

12 matches found

RedhatCVE
RedhatCVE
added 2026/06/11 2:59 p.m.12 views

CVE-2026-45561

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the /smon/agent/version,uptime,status,checks/ family of routes takes the URL path component verbatim into requests.getf'http://serverip:agentport/...'. The path component is...

6.5CVSS5.4AI score0.00218EPSS
Exploits0References1
NVD
NVD
added 2026/06/10 3:16 p.m.11 views

CVE-2026-45549

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agentaction app/routes/smon/agentroutes.py:166-179 has decorators @bp.post'/agent/action/' and @jwtrequired only — no role check, no group ownership check on the serverip form...

8.5CVSS0.00199EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/10 2:3 p.m.34 views

CVE-2026-45561 Roxy-WI: SSRF in /smon/agent/<endpoint>/<server_ip> reachable to cloud metadata IPs

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the /smon/agent/version,uptime,status,checks/ family of routes takes the URL path component verbatim into requests.getf'http://serverip:agentport/...'. The path component is...

6.5CVSS0.00218EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/10 2:3 p.m.8 views

CVE-2026-45561 Roxy-WI: SSRF in /smon/agent/<endpoint>/<server_ip> reachable to cloud metadata IPs

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the /smon/agent/version,uptime,status,checks/ family of routes takes the URL path component verbatim into requests.getf'http://serverip:agentport/...'. The path component is...

6.5CVSS5.4AI score0.00218EPSS
Exploits0References1
CVE
CVE
added 2026/06/10 2:3 p.m.20 views

CVE-2026-45561

CVE-2026-45561 affects Roxy-WI web interface (versions 8.2.6.4 and earlier) and allows SSRF via the /smon/agent/{version,uptime,status,checks}/ endpoints. The path component is passed verbatim into requests.get("http://{server_ip}:{agent_port}/...") and is only constrained by Flask’s default URL ...

6.5CVSS5.5AI score0.00218EPSS
Exploits0References1
CVE
CVE
added 2026/06/10 1:59 p.m.22 views

CVE-2026-45549

CVE-2026-45549 affects Roxy-WI web interface for managing HAProxy/Nginx/Apache/Keepalived. In versions 8.2.6.4 and prior, the code path agent_action (app/routes/smon/agent_routes.py:166-179) uses @bp.post('/agent/action/') and @jwt_required() with no role or group ownership check on the server_ip...

8.5CVSS5.5AI score0.00199EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/10 1:59 p.m.6 views

CVE-2026-45549 Roxy-WI: Authorization bypass on POST /smon/agent/action/<action> — guest can stop or restart smon-agent on any host

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agentaction app/routes/smon/agentroutes.py:166-179 has decorators @bp.post'/agent/action/' and @jwtrequired only — no role check, no group ownership check on the serverip form...

8.5CVSS5.5AI score0.00199EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/10 1:59 p.m.34 views

CVE-2026-45549 Roxy-WI: Authorization bypass on POST /smon/agent/action/<action> — guest can stop or restart smon-agent on any host

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agentaction app/routes/smon/agentroutes.py:166-179 has decorators @bp.post'/agent/action/' and @jwtrequired only — no role check, no group ownership check on the serverip form...

8.5CVSS0.00199EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.10 views

PT-2026-48440

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the /smon/agent/version,uptime,status,checks/ family of routes takes the URL path component verbatim into requests.getf'http://server ip:agent port/...'. The path component is...

6.5CVSS5.5AI score0.00218EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.16 views

PT-2026-48433

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent action app/routes/smon/agent routes.py:166-179 has decorators @bp.post'/agent/action/' and @jwt required only — no role check, no group ownership check on the server ip form...

8.5CVSS5.5AI score0.00199EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/10 12:0 a.m.10 views

Roxy-WI 代码问题漏洞

Roxy-WI is an open-source web interface designed for managing Haproxy, Nginx, and Keepalived servers. Versions of Roxy-WI 8.2.6.4 and earlier have a code vulnerability. This vulnerability stems from the /smon/agent/route function directly passing URL path components to requests.get, which may all...

6.5CVSS5.4AI score0.00218EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/10 12:0 a.m.13 views

Roxy-WI 安全漏洞

Roxy-WI is an open-source web interface designed for managing Haproxy, Nginx, and Keepalived servers. Roxy-WI versions 8.2.6.4 and earlier contain security vulnerabilities. These vulnerabilities stem from a lack of role checks and group ownership checks on the agentaction endpoint. Any...

8.5CVSS5.3AI score0.00199EPSS
Exploits0References2
Rows per page
Query Builder