CVE-2026-45556

CRITICAL EPSS 29.1%
Published Jun 10, 20263w ago · Modified Jun 17, 20262w ago
9.9 CVSS 3.1
Critical
Find Similar
Published Jun 10, 2026 3w ago
Last Modified Jun 17, 2026 2w ago

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf/<service>/<server_ip>/rule/<rule_id>/save accepts a config_file_name form field that is passed straight through to config_mod.master_slave_upload_and_restart(...) as the destination path. The validation chain (_replace_config_path_to_correct → check_is_conf) only requires the path to contain a hard-coded service substring (nginx/haproxy/apache2/httpd/keepalived) and the substring conf or cfg, and to not contain ... The encoded-slash substitution 92 → / is applied before the substring check, so the attacker can build any absolute path anywhere on the LB filesystem as long as it satisfies those substring constraints. The body of the WAF rule (config form field) is written verbatim to that path. By choosing a filename like 92etc92cron.d92nginx_cfg_evil (resolving to /etc/cron.d/nginx_cfg_evil), an attacker drops a cron entry on the load balancer with attacker-controlled content. Cron parses the file on its next scan, executing the embedded job as root — full RCE on every load balancer the caller's group manages. At time of publication, there are no publicly available patches.

CVSS Details

Base Score
9.9
Exploitability
3.1
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
29.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 4

CWE-20 Improper Input Validation Validation
CWE-22 Path Traversal Resource Mgmt
CWE-73
CWE-78 OS Command Injection Injection

References 1

  • github.com https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-85gm-773v-x7m4

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.