VYPR

Roxy Wi

by Roxy Wi

Source repositories

CVEs (35)

  • CVE-2026-45559MedJun 10, 2026
    risk 0.32cvss 4.9epss 0.00

    Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, get_ldap_email (app/modules/roxywi/user.py:120-157) builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim…

  • CVE-2026-45563MedJun 10, 2026
    risk 0.28cvss 4.3epss 0.00

    Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history//<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user…

  • CVE-2018-20525Mar 18, 2019
    risk 0.06cvss epss 0.22

    Roxy Fileman 1.4.5 allows Directory Traversal in copydir.php, copyfile.php, and fileslist.php.

  • CVE-2022-31161Jul 15, 2022
    risk 0.02cvss epss 0.20

    Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Version 6.1.1.0…

  • CVE-2026-27811Mar 17, 2026
    risk 0.00cvss epss 0.02

    Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare//<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system…

  • CVE-2026-22265Jan 15, 2026
    risk 0.00cvss epss 0.02

    Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to 8.2.8.2, command injection vulnerability exists in the log viewing functionality that allows authenticated users to execute arbitrary system commands. The vulnerability is in…

  • CVE-2024-43804Aug 29, 2024
    risk 0.00cvss epss 0.03

    Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. An OS Command Injection vulnerability allows any authenticated user on the application to execute arbitrary code on the web application server via port scanning functionality. User-supplied…

  • CVE-2023-29004Apr 17, 2023
    risk 0.00cvss epss 0.01

    hap-wi/roxy-wi is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A Path Traversal vulnerability was found in the current version of Roxy-WI (6.3.9.0 at the moment of writing this report). The vulnerability can be exploited via an HTTP request to…

  • CVE-2023-25804Mar 15, 2023
    risk 0.00cvss epss 0.01

    Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.5.0 have a limited path traversal vulnerability. An SSH key can be saved into an unintended location, for example the `/tmp` folder using a payload…

  • CVE-2023-25802Mar 13, 2023
    risk 0.00cvss epss 0.01

    Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.6.0 don't correctly neutralize `dir/../filename` sequences, such as `/etc/nginx/../passwd`, allowing an actor to gain information about a server. Version 6.3.6.0 has a…

  • CVE-2023-25803Mar 13, 2023
    risk 0.00cvss epss 0.01

    Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.5.0 have a directory traversal vulnerability that allows the inclusion of server-side files. This issue is fixed in version 6.3.5.0.

  • CVE-2022-31125Jul 6, 2022
    risk 0.00cvss epss 0.16

    Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to bypass authentication and access admin functionality by sending a specially crafted HTTP request. This…

  • CVE-2021-38168Aug 7, 2021
    risk 0.00cvss epss 0.01

    Roxy-WI through 5.2.2.0 allows authenticated SQL injection via select_servers.

  • CVE-2021-38169Aug 7, 2021
    risk 0.00cvss epss 0.02

    Roxy-WI through 5.2.2.0 allows command injection via /app/funct.py and /api/api_funct.py.

  • CVE-2019-7174Apr 9, 2019
    risk 0.00cvss epss 0.02

    Roxy Fileman 1.4.5 allows attackers to execute renamefile.php (aka Rename File), createdir.php (aka Create Directory), fileslist.php (aka Echo File List), and movefile.php (aka Move File) operations.

Page 2 of 2