CVE-2026-45565

Source
https://cve.org/CVERecord?id=CVE-2026-45565
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45565.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45565
Aliases
  • GHSA-7qm8-cm8p-9rx3
Published
2026-06-10T15:34:15.110Z
Modified
2026-07-08T08:13:30.197429591Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Roxy-WI: EscapedString validator skips its '..' block when stripping (root cause for several path-traversal/RCE vectors)
Details

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, EscapedString (app/modules/roxywi/class_models.py:16-30) is the centralised Pydantic validator used on dozens of fields including SSH credential name, username, description, etc. Its if/elif/elif/else flow returns the metacharacter-stripped value without also enforcing the .. block. An attacker who appends a single ;, &, |, $, or backtick to a .. payload routes the value through the strip arm, where .. survives unblocked and the result is not shlex.quote()'d either. At time of publication, there are no publicly available patches.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45565.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-117",
        "CWE-20",
        "CWE-22"
    ]
}
References

Affected packages

Git / github.com/roxy-wi/roxy-wi

Affected ranges

Type
GIT
Repo
https://github.com/roxy-wi/roxy-wi
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.2.6.4"
        }
    ]
}

Affected versions

3.*
3.4.4.6
3.4.4.7
3.4.5
3.4.5.1
v.*
v.5.3.5.0
v1.*
v1.0
v1.1
v1.10
v1.10.1
v1.10.2
v1.10.2.1
v1.3
v1.4
v1.4.1
v1.6
v1.9.1
v2.*
v2.0.2
v3.*
v3.2.13
v3.3
v4.*
v4.4.1.0
v5.*
v5.1.1.0
v5.1.4.0
v5.2.0
v5.2.1
v5.2.2.0
v5.2.3.0
v5.2.4.0
v5.2.5.0
v5.2.6.0
v5.3.0.0
v5.3.1.0
v5.3.2.0
v5.3.3.0
v5.3.4.0
v5.3.6.0
v5.4.0.0
v5.4.1.0
v5.4.2.0
v5.4.3.0
v5.5.0.0
v5.5.1.0
v6.*
v6.0.0.0
v6.0.1.0
v6.0.2.0
v6.0.3.0
v6.1.0.0
v6.1.1.0
v6.1.2.0
v6.1.3.0
v6.1.4.0
v6.1.5.0
v6.2.0.0
v6.2.1.0
v6.2.2.0
v6.2.3.0
v6.3.0.0
v6.3.1.0
v6.3.10.0
v6.3.11.0
v6.3.12.0
v6.3.13.0
v6.3.14.0
v6.3.15.0
v6.3.16.0
v6.3.17.0
v6.3.18.0
v6.3.19.0
v6.3.2.0
v6.3.3.0
v6.3.4.0
v6.3.5.0
v6.3.6.0
v6.3.7.0
v6.3.8.0
v6.3.9.0
v7.*
v7.0.0.0
v7.0.1.0
v7.0.2.0
v7.0.3.0
v7.0.4.0
v7.1.0.0
v7.1.1.0
v7.1.2.0
v7.2.0.0
v7.2.1.0
v7.2.2.0
v7.2.3.0
v7.2.4.0
v7.2.5.0
v7.2.6.0
v7.3.0.0
v7.3.1.0
v7.3.2.0
v8.*
v8.0
v8.0.1
v8.0.2
v8.1
v8.1.0.1
v8.1.1
v8.1.2
v8.1.3
v8.1.4
v8.1.5
v8.1.6
v8.1.7
v8.1.8
v8.2.0
v8.2.1
v8.2.2
v8.2.3
v8.2.4
v8.2.5
v8.2.6
v8.2.6.3
v8.2.6.4
v8.2.8.1
v8.2.8.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45565.json"