PatchSiren cyber security CVE debrief

CVE-2026-45559 roxy-wi CVE debrief

CVE-2026-45559 is a vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The `get_ldap_email` function in `app/modules/roxywi/user.py` (lines 120-157) is vulnerable to LDAP search filter injection. The username URL path parameter is not properly sanitized, allowing an attacker to inject additional LDAP clauses. This could enable an attacker to enumerate or harvest attributes outside the intended record. The CVSS score for this vulnerability is 4.9, with a severity rating of MEDIUM.

Vendor: roxy-wi
Product: Unknown
CVSS: MEDIUM 4.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-10
Original CVE updated: 2026-06-10
Advisory published: 2026-06-10
Advisory updated: 2026-06-10

Who should care

Administrators and users of Roxy-WI, especially those using versions 8.2.6.4 and prior, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The `get_ldap_email` function in Roxy-WI is vulnerable to LDAP search filter injection due to improper sanitization of the username URL path parameter. This allows an attacker to inject additional LDAP clauses, potentially enabling enumeration or harvesting of attributes outside the intended record.

Defensive priority

MEDIUM

Recommended defensive actions

Update to a patched version of Roxy-WI, if available.
Implement proper input validation and sanitization for the username URL path parameter.
Monitor for suspicious activity and implement additional security measures to prevent exploitation.

Evidence notes

The CVE record and NVD detail for CVE-2026-45559 provide additional information on this vulnerability. [See resourceLinkAnnotations for links.](resourceLinkAnnotations)

Official resources

CVE-2026-45559 was published on 2026-06-10T15:16:36.743Z and modified on 2026-06-10T19:37:41.437Z.