PatchSiren cyber security CVE debrief
CVE-2026-45564 roxy-wi CVE debrief
CVE-2026-45564 is a high-severity vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The vulnerability affects versions 8.2.6.4 and prior. An authenticated user with a role less than or equal to 3 (i.e., a 'user' role) can exploit this vulnerability to inject commands. The vulnerability arises from the interpolation of the URL-path `configver` parameter directly into a config-version path, which is then passed to `os.system`. Specifically, the `configver` parameter is not properly sanitized or validated, allowing an attacker to inject arbitrary commands. At the time of publication, there are no publicly available patches for this vulnerability.
- Vendor
- roxy-wi
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Administrators and users of Roxy-WI, especially those with user-level access, should be aware of this vulnerability and take necessary precautions to mitigate the risk.
Technical summary
The vulnerability is caused by the lack of proper sanitization and validation of the `configver` parameter in the `POST /config/versions/<service>/<server_ip>/<configver>/save` endpoint. This allows an authenticated user with role <= 3 to inject arbitrary commands, which are then executed by `os.system`.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates as soon as they become available.
- Restrict access to the affected endpoint to only trusted users and roles.
- Implement additional security measures, such as input validation and sanitization, to prevent similar vulnerabilities.
Evidence notes
The vulnerability is confirmed by the CVE record and the NVD detail page. The CVE record provides a brief description of the vulnerability, while the NVD detail page offers additional information, including the CVSS score and vector.
Official resources
-
CVE-2026-45564 CVE record
CVE.org
-
CVE-2026-45564 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-45564 was published on 2026-06-10T15:16:37.307Z and modified on 2026-06-10T19:37:41.437Z.