PatchSiren cyber security CVE debrief
CVE-2026-45560 roxy-wi CVE debrief
CVE-2026-45560 is a medium-severity XSS vulnerability in Roxy-WI, a web interface for managing servers. The vulnerability exists in versions 8.2.6.4 and prior, where the `wrap_line` and `highlight_word` functions in `app/modules/common/common.py` build raw HTML by string concatenation with no escaping. This allows an attacker to inject an SVG payload into HAProxy/Nginx access logs, which can be executed when a Roxy-WI admin opens the log viewer.
- Vendor
- roxy-wi
- Product
- Unknown
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Administrators and users of Roxy-WI, particularly those managing HAProxy and Nginx servers, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 6.1 and is classified as MEDIUM severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The weakness is classified as CWE-79.
Defensive priority
High
Recommended defensive actions
- Upgrade to a patched version of Roxy-WI, if available.
- Implement input validation and output encoding to prevent XSS attacks.
- Monitor logs for suspicious activity and restrict access to log viewers.
Evidence notes
The vulnerability was published on June 10, 2026, and modified on the same day. There are no publicly available patches at the time of publication.
Official resources
-
CVE-2026-45560 CVE record
CVE.org
-
CVE-2026-45560 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-45560 was published on 2026-06-10T15:16:36.883Z and modified on 2026-06-10T19:37:41.437Z.