These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-45569 is a path traversal vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The vulnerability affects versions 8.2.6.4 and prior. The issue arises from a flawed validation check in the `app/modules/config/config.py` file, which fails to properly block path traversal payloads. Specifically, the check uses tuple membership instead of substring co [truncated]
CVE-2026-45567 is a HIGH-severity vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The vulnerability allows for authentication bypass via the 'api' substring in a URL and unauthenticated access to the /api/gpt endpoint. At the time of publication, there are no publicly available patches for this vulnerability.
A vulnerability was discovered in Roxy-WI, a web interface used for managing Haproxy, Nginx, Apache, and Keepalived servers. The issue lies in the EscapedString validator, which is used on multiple fields, including SSH credential name, username, and description. This validator has a flawed if/elif/elif/else flow that fails to properly block the '..' character, allowing an attacker to bypass validation. B [truncated]
CVE-2026-45564 is a high-severity vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The vulnerability affects versions 8.2.6.4 and prior. An authenticated user with a role less than or equal to 3 (i.e., a 'user' role) can exploit this vulnerability to inject commands. The vulnerability arises from the interpolation of the URL-path `configver` parameter [truncated]
CVE-2026-45563 is a vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. In versions 8.2.6.4 and prior, the GET /history/<service>/<server_ip> endpoint reuses the server_ip path parameter as a user-id when the service is 'user', without proper authorization checks. This allows any authenticated user, including guests in unrelated groups, to list the full a [truncated]
A vulnerability was discovered in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Specifically, versions 8.2.6.4 and prior are affected. The issue lies in the /smon/agent/{version,uptime,status,checks}/<server_ip> family of routes, where the URL path component is directly used in requests without proper validation. This allows an attacker to send requests to arbitrary [truncated]
CVE-2026-45560 is a medium-severity XSS vulnerability in Roxy-WI, a web interface for managing servers. The vulnerability exists in versions 8.2.6.4 and prior, where the `wrap_line` and `highlight_word` functions in `app/modules/common/common.py` build raw HTML by string concatenation with no escaping. This allows an attacker to inject an SVG payload into HAProxy/Nginx access logs, which can be executed w [truncated]
CVE-2026-45559 is a vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The `get_ldap_email` function in `app/modules/roxywi/user.py` (lines 120-157) is vulnerable to LDAP search filter injection. The username URL path parameter is not properly sanitized, allowing an attacker to inject additional LDAP clauses. This could enable an attacker to enumerate or [truncated]
CVE-2026-45558 is a critical vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. An authenticated user with role ≤ 3 (user) can inject arbitrary HAProxy directives into the configuration, leading to remote code execution on the load balancer as the haproxy user.
CVE-2026-45556 is a critical remote code execution (RCE) vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The vulnerability affects versions 8.2.6.4 and prior. An attacker can exploit this vulnerability by sending a crafted POST request to the /waf/<service>/<server_ip>/rule/<rule_id>/save endpoint, which allows them to write arbitrary content to any f [truncated]
CVE-2026-45552 is a critical vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The vulnerability has a CVSS score of 9.9 and a severity of CRITICAL. It was published on 2026-06-10T15:16:36.303Z and modified on 2026-06-10T19:37:41.437Z. The vulnerability is caused by missing decorators in the install blueprint, which omit both role and group checks. This [truncated]
CVE-2026-45550 is a critical vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The vulnerability allows any authenticated user to silently rewrite any other tenant's HTTP / TCP / Ping / DNS monitoring check. This is due to a flawed authorization mechanism in the PUT /smon/check endpoint, which fails to validate that the target check_id belongs to the ca [truncated]
CVE-2026-45549 is a high-severity vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The vulnerability affects versions 8.2.6.4 and prior. Specifically, the `agent_action` function in `app/routes/smon/agent_routes.py` (lines 166-179) lacks role checks and group ownership verification on the `server_ip` form field. Consequently, any authenticated user, in [truncated]