CVE Catalog

CVE-2026-45559

MediumCVSS 4.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

9th percentile — higher than 9% of all known CVEs

Summary

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. In versions 8.2.6.4 and prior, the get_ldap_email function builds the LDAP search filter via f-string concatenation, allowing for the injection of additional clauses through improperly processed username URL path parameters.

Risk Assessment

An attacker can exploit this vulnerability to enumerate or harvest attributes outside the intended record, potentially leading to the disclosure of sensitive information. The lack of publicly available patches increases the risk for organizations.

Recommendation

It is recommended to upgrade to the latest version of Roxy-WI as soon as patches become available. Additionally, consider implementing extra security measures such as input validation and escaping user input.

Original NVD description (English source)

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, get_ldap_email (app/modules/roxywi/user.py:120-157) builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim — no checkAjaxInput, no LDAP escape — and inserted, a username like *)(mail=*)(cn=* injects additional clauses, allowing the admin to enumerate or harvest attributes outside the intended record. At time of publication, there are no publicly available patches.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS