CVE-2026-45565
Description
Roxy-WI versions 8.2.6.4 and prior are vulnerable to path traversal and RCE due to improper validation of user input in EscapedString.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Roxy-WI versions 8.2.6.4 and prior are vulnerable to path traversal and RCE due to improper validation of user input in EscapedString.
Vulnerability
Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers, contains a vulnerability in its centralized Pydantic validator, EscapedString (app/modules/roxywi/class_models.py:16-30). In versions 8.2.6.4 and prior, the validator's logic allows metacharacters like ;, &, |, $, or backtick to bypass validation. If an attacker appends one of these characters to a .. payload, the input is stripped of the metacharacter but the .. sequence remains unblocked and is not properly quoted, leading to potential path traversal and RCE vectors [1].
Exploitation
An attacker needs to provide specially crafted input to fields validated by EscapedString, such as SSH credential names, usernames, or descriptions. By appending a metacharacter (;, &, |, $, or backtick) to a path traversal sequence like ../, the input bypasses the intended validation checks. This allows the attacker to manipulate file paths or execute commands, depending on the context where the input is used [1].
Impact
Successful exploitation can lead to arbitrary file writes, including the decryption of SSH private keys, path traversal within Haproxy lists, and remote code execution (RCE) through mechanisms like the save_version function. The scope of the compromise depends on the specific context of the vulnerable field, but RCE implies a high level of system compromise [1].
Mitigation
At the time of publication, there are no publicly available patches for this vulnerability. Users are advised to monitor the project's security advisories for updates. No workarounds are currently disclosed [1].
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The EscapedString validator incorrectly processes input containing metacharacters, allowing path traversal payloads to bypass security checks."
Attack vector
An attacker with low privileges can exploit this vulnerability by providing specially crafted input to fields validated by EscapedString. By appending metacharacters like ';', '&', '|', '$', or backtick to a path traversal sequence (e.g., '../../etc/passwd'), the input is routed through a stripping mechanism that bypasses the intended validation for '..' sequences. This allows the attacker to manipulate file paths, leading to potential arbitrary file writes or remote code execution depending on the downstream sink [ref_id=1].
Affected code
The vulnerability resides in the EscapedString class within app/modules/roxywi/class_models.py, specifically lines 16-30 [ref_id=1]. This validator is used across approximately 52 Pydantic fields. Downstream sinks include functions like _return_correct_ssh_file in app/modules/server/ssh.py and the HaproxyListView and configver functionalities [ref_id=1].
What the fix does
The advisory does not specify a patch. However, it suggests modifying the EscapedString validator to move the check for '..' sequences above the metacharacter stripping logic. This ensures that any input containing '..' is rejected before metacharacters are removed and the value is potentially quoted. Additionally, it recommends rejecting '/', '\', and NUL bytes when fields are used as filename components [ref_id=1].
Preconditions
- authThe attacker must have low privileges to access the application.
- inputThe attacker must be able to provide input to fields validated by the EscapedString class.
Reproduction
python3 -c " import re from shlex import quote class EscapedString(str): pattern = re.compile('[&;|\"]') @classmethod def validate(cls, v): if isinstance(v, str): if cls.pattern.search(v): return re.sub(cls.pattern, '', v) # strip + return without '..' check elif '..' in v: raise ValueError('nice try') elif v == '': return v else: return quote(v.rstrip()) return v
print('Smuggled with ; :', repr(EscapedString.validate('../../etc/passwd;'))) print('Smuggled with & :', repr(EscapedString.validate('../../etc/passwd&'))) print('Embedded :', repr(EscapedString.validate('/var/lib/safe;..;..;..;etc/passwd;'))) " [ref_id=1]
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
1- Roxy-WI: 14 Vulnerabilities Disclosed Together, Including Critical FlawsVypr Intelligence · Jun 10, 2026