PatchSiren cyber security CVE debrief
CVE-2026-45565 roxy-wi CVE debrief
A vulnerability was discovered in Roxy-WI, a web interface used for managing Haproxy, Nginx, Apache, and Keepalived servers. The issue lies in the EscapedString validator, which is used on multiple fields, including SSH credential name, username, and description. This validator has a flawed if/elif/elif/else flow that fails to properly block the '..' character, allowing an attacker to bypass validation. By appending certain metacharacters such as ';', '&', '|', '$', or a backtick to a payload containing '..', an attacker can exploit this vulnerability. The affected versions are 8.2.6.4 and prior. At the time of publication, no patches are publicly available.
- Vendor
- roxy-wi
- Product
- Unknown
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Administrators and users of Roxy-WI, especially those using versions 8.2.6.4 and prior, should be aware of this vulnerability and take necessary precautions to mitigate potential attacks.
Technical summary
The EscapedString validator in Roxy-WI (app/modules/roxywi/class_models.py:16-30) does not properly enforce the '..' block, allowing attackers to bypass validation and potentially execute arbitrary commands.
Defensive priority
HIGH
Recommended defensive actions
- Review and update Roxy-WI to a patched version when available.
- Restrict access to sensitive fields and monitor for suspicious activity.
- Implement additional security measures to prevent exploitation.
Evidence notes
CVE-2026-45565 has a CVSS score of 8.1 and is classified as HIGH severity.
Official resources
-
CVE-2026-45565 CVE record
CVE.org
-
CVE-2026-45565 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-45565 was published on 2026-06-10T16:17:07.350Z and modified on 2026-06-10T19:37:41.437Z.