VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Jun 10, 2026· Updated Jun 10, 2026

CVE-2026-45566

CVE-2026-45566

Description

Roxy-WI versions 8.2.6.4 and prior suffer from an open redirect vulnerability due to improper handling of the 'next' URL parameter during login.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Roxy-WI versions 8.2.6.4 and prior suffer from an open redirect vulnerability due to improper handling of the 'next' URL parameter during login.

Vulnerability

Roxy-WI, a web interface for managing servers, versions 8.2.6.4 and prior, contains an open redirect vulnerability in its login flow. The application attempts to prevent redirects to external sites by rejecting URLs containing https:// or http:// substrings. However, it fails to properly sanitize the next URL parameter, allowing bypass via the userinfo@host syntax, which modern browsers interpret as directing to the host specified after the @ symbol [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link that includes a next parameter containing a URL with the userinfo@host syntax, such as @evil.example/path. When a user clicks this link and logs into the Roxy-WI instance, the application constructs a redirect URL that includes the attacker-controlled domain. The JavaScript client then redirects the user's browser to this malicious domain via window.location.replace() [1].

Impact

Successful exploitation of this open redirect vulnerability allows an attacker to redirect users to arbitrary external websites. This can be used to facilitate phishing attacks, distribute malware, or perform other malicious actions by tricking users into visiting a site controlled by the attacker [1].

Mitigation

At the time of publication, there are no publicly available patches for this vulnerability. Users are advised to monitor the project's security advisories for updates. No workarounds are currently disclosed [1].

References
  1. Open redirect on /login?next= via basic-auth userinfo syntax bypass

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Roxy Wi/Roxy Wiinferred2 versions
    <=8.2.6.4+ 1 more
    • (no CPE)range: <=8.2.6.4
    • (no CPE)range: <=8.2.6.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The login flow incorrectly sanitizes the `next_url` parameter, allowing redirection to arbitrary hosts via userinfo syntax."

Attack vector

An unauthenticated attacker can craft a login request with a specially formatted `next` parameter. This parameter, such as `@evil.example/login`, bypasses the initial URL validation. The backend then constructs a redirect URL like `https://victim.example@evil.example/login`. The JavaScript client redirects the user's browser to this URL, which modern browsers interpret as a redirect to `evil.example` [ref_id=1].

Affected code

The vulnerability exists in the `do_login` function in `app/modules/roxywi/auth.py` which handles the login process and constructs the redirect URL. The JavaScript code in `app/static/js/script.js` is responsible for performing the client-side redirection using the `window.location.replace()` method [ref_id=1].

What the fix does

The advisory does not specify a patch. It recommends a remediation strategy that involves parsing the `next_url` using `urllib.parse.urlparse` to check for a scheme or network location. If these are present, or if the URL does not start with a forward slash, it defaults to the application's index page, preventing the open redirect vulnerability [ref_id=1].

Preconditions

  • inputThe attacker must be able to control the `next` parameter in the login request.
  • networkThe attacker must be able to send a POST request to the `/login` endpoint.

Reproduction

for n in 'https://evil.example' 'http://evil.example' '//evil.example' '@evil.example/login'; do printf ' next=%-30s → ' "$n" curl -s -X POST http://victim.example/login \ -H 'Content-Type: application/json' \ -d "{\"login\":\"admin\",\"pass\":\"admin\",\"next\":\"$n\"}" echo done

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

1