Roxy Wi
by Roxy Wi
Source repositories
CVEs (35)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-45559 | Med | 0.32 | 4.9 | 0.00 | Jun 10, 2026 | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, get_ldap_email (app/modules/roxywi/user.py:120-157) builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim… | ||
| CVE-2026-45563 | Med | 0.28 | 4.3 | 0.00 | Jun 10, 2026 | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history//<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user… | ||
| CVE-2018-20525 | 0.06 | — | 0.22 | Mar 18, 2019 | Roxy Fileman 1.4.5 allows Directory Traversal in copydir.php, copyfile.php, and fileslist.php. | |||
| CVE-2022-31161 | 0.02 | — | 0.20 | Jul 15, 2022 | Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Version 6.1.1.0… | |||
| CVE-2026-27811 | 0.00 | — | 0.02 | Mar 17, 2026 | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare//<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system… | |||
| CVE-2026-22265 | 0.00 | — | 0.02 | Jan 15, 2026 | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in… | |||
| CVE-2024-43804 | 0.00 | — | 0.03 | Aug 29, 2024 | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. An OS Command Injection vulnerability allows any authenticated user on the application to execute arbitrary code on the web application server via port scanning functionality. User-supplied… | |||
| CVE-2023-29004 | 0.00 | — | 0.01 | Apr 17, 2023 | hap-wi/roxy-wi is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A Path Traversal vulnerability was found in the current version of Roxy-WI (6.3.9.0 at the moment of writing this report). The vulnerability can be exploited via an HTTP request to… | |||
| CVE-2023-25804 | 0.00 | — | 0.01 | Mar 15, 2023 | Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.5.0 have a limited path traversal vulnerability. An SSH key can be saved into an unintended location, for example the `/tmp` folder using a payload… | |||
| CVE-2023-25802 | 0.00 | — | 0.01 | Mar 13, 2023 | Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.6.0 don't correctly neutralize `dir/../filename` sequences, such as `/etc/nginx/../passwd`, allowing an actor to gain information about a server. Version 6.3.6.0 has a… | |||
| CVE-2023-25803 | 0.00 | — | 0.01 | Mar 13, 2023 | Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.5.0 have a directory traversal vulnerability that allows the inclusion of server-side files. This issue is fixed in version 6.3.5.0. | |||
| CVE-2022-31125 | 0.00 | — | 0.16 | Jul 6, 2022 | Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to bypass authentication and access admin functionality by sending a specially crafted HTTP request. This… | |||
| CVE-2021-38168 | 0.00 | — | 0.01 | Aug 7, 2021 | Roxy-WI through 5.2.2.0 allows authenticated SQL injection via select_servers. | |||
| CVE-2021-38169 | 0.00 | — | 0.02 | Aug 7, 2021 | Roxy-WI through 5.2.2.0 allows command injection via /app/funct.py and /api/api_funct.py. | |||
| CVE-2019-7174 | 0.00 | — | 0.02 | Apr 9, 2019 | Roxy Fileman 1.4.5 allows attackers to execute renamefile.php (aka Rename File), createdir.php (aka Create Directory), fileslist.php (aka Echo File List), and movefile.php (aka Move File) operations. |
- risk 0.32cvss 4.9epss 0.00
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, get_ldap_email (app/modules/roxywi/user.py:120-157) builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim…
- risk 0.28cvss 4.3epss 0.00
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history//<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user…
- CVE-2018-20525Mar 18, 2019risk 0.06cvss —epss 0.22
Roxy Fileman 1.4.5 allows Directory Traversal in copydir.php, copyfile.php, and fileslist.php.
- CVE-2022-31161Jul 15, 2022risk 0.02cvss —epss 0.20
Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Version 6.1.1.0…
- CVE-2026-27811Mar 17, 2026risk 0.00cvss —epss 0.02
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare//<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system…
- CVE-2026-22265Jan 15, 2026risk 0.00cvss —epss 0.02
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in…
- CVE-2024-43804Aug 29, 2024risk 0.00cvss —epss 0.03
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. An OS Command Injection vulnerability allows any authenticated user on the application to execute arbitrary code on the web application server via port scanning functionality. User-supplied…
- CVE-2023-29004Apr 17, 2023risk 0.00cvss —epss 0.01
hap-wi/roxy-wi is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A Path Traversal vulnerability was found in the current version of Roxy-WI (6.3.9.0 at the moment of writing this report). The vulnerability can be exploited via an HTTP request to…
- CVE-2023-25804Mar 15, 2023risk 0.00cvss —epss 0.01
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.5.0 have a limited path traversal vulnerability. An SSH key can be saved into an unintended location, for example the `/tmp` folder using a payload…
- CVE-2023-25802Mar 13, 2023risk 0.00cvss —epss 0.01
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.6.0 don't correctly neutralize `dir/../filename` sequences, such as `/etc/nginx/../passwd`, allowing an actor to gain information about a server. Version 6.3.6.0 has a…
- CVE-2023-25803Mar 13, 2023risk 0.00cvss —epss 0.01
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.5.0 have a directory traversal vulnerability that allows the inclusion of server-side files. This issue is fixed in version 6.3.5.0.
- CVE-2022-31125Jul 6, 2022risk 0.00cvss —epss 0.16
Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to bypass authentication and access admin functionality by sending a specially crafted HTTP request. This…
- CVE-2021-38168Aug 7, 2021risk 0.00cvss —epss 0.01
Roxy-WI through 5.2.2.0 allows authenticated SQL injection via select_servers.
- CVE-2021-38169Aug 7, 2021risk 0.00cvss —epss 0.02
Roxy-WI through 5.2.2.0 allows command injection via /app/funct.py and /api/api_funct.py.
- CVE-2019-7174Apr 9, 2019risk 0.00cvss —epss 0.02
Roxy Fileman 1.4.5 allows attackers to execute renamefile.php (aka Rename File), createdir.php (aka Create Directory), fileslist.php (aka Echo File List), and movefile.php (aka Move File) operations.
Page 2 of 2