CVE-2026-45565
Received Received - Intake
Stored Command Injection in Roxy-WI Web Interface

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, EscapedString (app/modules/roxywi/class_models.py:16-30) is the centralised Pydantic validator used on dozens of fields including SSH credential name, username, description, etc. Its if/elif/elif/else flow returns the metacharacter-stripped value without also enforcing the .. block. An attacker who appends a single ;, &, |, $, or backtick to a .. payload routes the value through the strip arm, where .. survives unblocked and the result is not shlex.quote()'d either. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-45565
EUVD
EUVD-2026-36062
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
roxy-wi roxy-wi to 8.2.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-117 The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-45565 vulnerability is a flaw in the EscapedString validator within the Roxy-WI application. This validator is supposed to strip dangerous metacharacters like ;, &, |, $, and backticks from input strings to prevent malicious input. However, it fails to properly handle the '..' sequence when these metacharacters are present.

Because of the validator's logic, if an input contains a metacharacter, it triggers a branch that strips those metacharacters but skips the check that blocks '..'. This allows attackers to bypass security checks and use path traversal sequences like '../../etc/passwd;' without being blocked or properly quoted.

This flaw affects about 52 fields in the application and can lead to serious issues such as path traversal and remote code execution (RCE). For example, an attacker could manipulate SSH credential names to write files to unintended locations by appending a metacharacter to a '..' payload.

Impact Analysis

This vulnerability can have a high impact on your system's confidentiality and integrity. An attacker with low privileges and no user interaction can exploit it remotely over the network.

Potential impacts include arbitrary file writes, such as writing decrypted SSH private keys to unintended locations, path traversal attacks that allow access to sensitive files, and remote code execution through vulnerable functions.

Because the attack complexity is low and no user interaction is required, it is relatively easy for attackers to exploit this vulnerability if the system is running a vulnerable version of Roxy-WI.

Detection Guidance

Detection of this vulnerability involves identifying if the Roxy-WI application is using the vulnerable EscapedString validator in versions 8.2.6.4 and prior. Since the flaw allows path traversal and remote code execution via specially crafted inputs containing '..' combined with metacharacters like ;, &, |, $, or backticks, monitoring for such suspicious input patterns in logs or network traffic can help detect exploitation attempts.

Specifically, you can search application logs or network traffic for inputs or requests containing sequences like '../../etc/passwd;' or '../../etc/passwd&' targeting fields such as SSH credential names or usernames.

Example commands to detect potential exploitation attempts include:

  • Using grep to search application logs for suspicious payloads: grep -E "\.\./\.\./etc/passwd[;&|$`]" /path/to/roxy-wi/logs/*
  • Using network monitoring tools like tcpdump or Wireshark to filter HTTP requests containing '..' and metacharacters: tcpdump -A -s 0 'tcp port 80 and (((tcp[((tcp[12:1] & 0xf0) >> 2):4]) contains "..") and (tcp[((tcp[12:1] & 0xf0) >> 2):1] contains ";" or contains "&" or contains "|" or contains "$" or contains "`"))'

Note that these commands are examples based on the vulnerability description and should be adapted to your environment and log locations.

Mitigation Strategies

Immediate mitigation steps include restricting access to the Roxy-WI application to trusted users and networks to reduce the attack surface.

Since no public patches are available at the time of publication, you should implement input validation controls externally if possible, such as web application firewalls (WAFs) to block requests containing suspicious patterns like '..' combined with metacharacters (;, &, |, $, backticks).

Additionally, monitor logs and network traffic for exploitation attempts and consider disabling or limiting features that accept user input for SSH credential names, usernames, or descriptions until a fix is available.

The recommended fix involves modifying the EscapedString validator to check for the '..' sequence before stripping metacharacters and rejecting forward slashes, backslashes, and NUL bytes in filename components.

Compliance Impact

The vulnerability in Roxy-WI allows attackers to perform path traversal and remote code execution, leading to unauthorized access and modification of sensitive data such as SSH private keys. This results in a high impact on confidentiality and integrity of data.

Such unauthorized access and potential data breaches can negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require strict protection of sensitive information and maintaining data confidentiality and integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45565. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart