Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, ommit d4d10006 ("Expand validation to block .. in configfilename and configver for improved security") added a line in app/modules/config/config.py:462. This is tuple-membership, not substring containment — '..' in (a, b, c) evaluates to True only if any of a, b, c is equal to the literal string '..'. For any realistic path-traversal payload (../../etc/passwd, ..\..\etc\passwd, etc.) the check returns False and the patch silently lets the payload through. At time of publication, there are no publicly available patches.
{
"cwe_ids": [
"CWE-22",
"CWE-697"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45569.json",
"cna_assigner": "GitHub_M"
}