PatchSiren cyber security CVE debrief
CVE-2026-45569 roxy-wi CVE debrief
CVE-2026-45569 is a path traversal vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The vulnerability affects versions 8.2.6.4 and prior. The issue arises from a flawed validation check in the `app/modules/config/config.py` file, which fails to properly block path traversal payloads. Specifically, the check uses tuple membership instead of substring containment, allowing payloads like `../../etc/passwd` to bypass security restrictions. At the time of publication, no publicly available patches are known.
- Vendor
- roxy-wi
- Product
- Unknown
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Administrators and users of Roxy-WI, especially those using versions 8.2.6.4 and prior, should be aware of this vulnerability and take necessary precautions to mitigate the risk.
Technical summary
The vulnerability has a CVSS score of 8.1 and is classified as HIGH severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. The weakness is associated with CWE-22 and CWE-697.
Defensive priority
HIGH
Recommended defensive actions
- Review and update Roxy-WI to a version that addresses this vulnerability, if available.
- Implement additional security measures to restrict access to sensitive files and directories.
- Monitor systems for suspicious activity and potential exploitation attempts.
Evidence notes
The vulnerability was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-45569) and detailed on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-45569). Additional information can be found in the source item [source-item](https://services.nvd.nist.gov/rest/json/cves/2.0?lastModStartDate=2026-06-09T12%3A30%3A41.000Z&lastModEndDate=2026-06-13T16%3A31%3A51.000Z) and references [ref-4](https://github.com/roxy-wi/roxy-wi/commit/d4d10006) and [ref-5](https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-j6p4-8532-h9hv).
Official resources
CVE-2026-45569 was published on 2026-06-10T16:17:08.433Z and modified on 2026-06-11T14:16:28.447Z.