cbcvebase.
CVE-2026-45564
published 2026-06-10

CVE-2026-45564: Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /config/versions////save…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.30%
22.1th percentile
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /config/versions////save interpolates the URL-path configver parameter directly into a config-version path that ends up at os.system(f"dos2unix -q {cfg}"). configver is not run through EscapedString (Pydantic doesn't validate path segments declared as str) and the surrounding .. block is the broken tuple-membership patch from GHSA-vapt-004. An authenticated user with role <= 3 ("user") therefore reaches a bin/sh -c command-injection sink. At time of publication, there are no publicly available patches.

Affected

1 ranges
VendorProductVersion rangeFixed in
roxy-wiroxy-wi<= 8.2.6.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.