Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrap_line (app/modules/common/common.py:181-186) and highlight_word (app/modules/common/common.py:188-192) build raw HTML by string concatenation with no escaping. The frontend (app/static/js/script.js, log-viewer paths) uses .html(data) / .append(data) to inject the response body. Anyone able to write a line into a managed HAProxy/Nginx access log (i.e. anyone who can send an HTTP request to the public LB) can land an <svg/onload=…> payload that executes when a Roxy-WI admin opens the log viewer. At time of publication, there are no publicly available patches.
Published: 2026-06-10
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Roxy‑WI includes a stored cross‑site scripting flaw in the log viewer. The wrap_line and highlight_word functions build raw HTML by string concatenation with no escaping. The front‑end injects this result into the page using .html()/.append(), allowing an attacker to embed a payload that runs when an administrator opens the log viewer. The vulnerability can be used to execute arbitrary scripts in the administrative browser context, representing a Client‑Side Execution weakness (CWE‑79).

Affected Systems

The flaw affects the Roxy‑WI web interface, which manages HAProxy, Nginx, Apache and Keepalived servers. All releases version 8.2.6.4 and earlier are vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.1, indicating a moderate risk. The EPSS score is not available, and the issue is not listed in CISA’s KEV catalog. An attacker who can send HTTP requests to the public load balancer can inject malicious log entries; when an administrator later views those logs, the embedded payload executes in the admin’s browser, providing client‑side script execution. No public patch is available at the time of this publication, so the risk remains until remediation is applied.

Generated by OpenCVE AI on June 10, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch for Roxy‑WI as soon as it is released.
  • Restrict external write access to the public load balancer or configure the reverse proxy so that only trusted users can generate log entries.
  • Clear or sanitise existing log files to remove any embedded JavaScript before admins review them.

Generated by OpenCVE AI on June 10, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
Vendors & Products Roxy-wi
Roxy-wi roxy-wi

Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrap_line (app/modules/common/common.py:181-186) and highlight_word (app/modules/common/common.py:188-192) build raw HTML by string concatenation with no escaping. The frontend (app/static/js/script.js, log-viewer paths) uses .html(data) / .append(data) to inject the response body. Anyone able to write a line into a managed HAProxy/Nginx access log (i.e. anyone who can send an HTTP request to the public LB) can land an <svg/onload=…> payload that executes when a Roxy-WI admin opens the log viewer. At time of publication, there are no publicly available patches.
Title Roxy-WI: Stored XSS in log viewer (wrap_line/highlight_word produce unescaped HTML)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T16:03:46.646Z

Reserved: 2026-05-12T19:00:14.599Z

Link: CVE-2026-45560

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T15:16:36.883

Modified: 2026-06-10T15:16:36.883

Link: CVE-2026-45560

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T16:30:26Z

Weaknesses