Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

roxy-wi — Vulnerabilities & Security Advisories 32

All 32 CVE vulnerabilities found in roxy-wi, with AI-generated Chinese analysis, references, and POCs.

This page catalogs known vulnerabilities associated with Roxy-Wi, a web interface designed for managing HAProxy configurations and load balancers, focusing on various weakness types such as configuration errors and potential information disclosures. The collection aggregates security issues identified in Roxy-Wi and its underlying dependencies, covering vulnerability data from initial public disclosures up to the most recent updates, ensuring a comprehensive historical view of security exposures. Here, users can track vendor-specific advisories related to Roxy-Wi, understand the implications of specific weakness classes within the context of load balancer management interfaces, and look up the product’s detailed vulnerability history to assess risk over time. This resource is intended for system administrators, security analysts, and DevOps professionals who need to evaluate the security posture of their HAProxy infrastructure managed through Roxy-Wi. By consolidating these records, the page aids in identifying patterns in reported flaws, understanding the evolution of security patches, and facilitating informed decision-making regarding software updates and configuration hardening. It serves as a reference point for correlating reported issues with specific Roxy-Wi versions, helping teams prioritize remediation efforts based on the severity and relevance of each vulnerability to their specific deployment environments. The information provided supports proactive security management by offering clear visibility into past and present threats, allowing organizations to maintain robust security practices in their load balancing operations.

Vendor: hap-wi

CVE IDTitleCVSSSeverityPublished
CVE-2026-45569 Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op (tuple-membership bug) CWE-22 8.1 High2026-06-10
CVE-2026-45567 Roxy-WI: Authentication bypass via 'api' substring in URL + unauthenticated /api/gpt CWE-287 8.3 High2026-06-10
CVE-2026-45566 Roxy-WI: Open redirect on /login?next= via basic-auth userinfo syntax bypass CWE-601 6.1 Medium2026-06-10
CVE-2026-45565 Roxy-WI: EscapedString validator skips its '..' block when stripping (root cause for several path-traversal/RCE vectors) CWE-20 8.1 High2026-06-10
CVE-2026-45564 Roxy-WI: Authenticated RCE via 'configver' URL parameter (os.system sink in /config/versions/.../save) CWE-78 8.8 High2026-06-10
CVE-2026-45563 Roxy-WI: IDOR — any authenticated user can read another user's full action history CWE-639 4.3 Medium2026-06-10
CVE-2026-45561 Roxy-WI: SSRF in /smon/agent/<endpoint>/<server_ip> reachable to cloud metadata IPs CWE-918 6.5 Medium2026-06-10
CVE-2026-45560 Roxy-WI: Stored XSS in log viewer (wrap_line/highlight_word produce unescaped HTML) CWE-79 6.1 Medium2026-06-10
CVE-2026-45559 Roxy-WI: LDAP injection in /user/ldap/<username> (admin-only) CWE-90 4.9 Medium2026-06-10
CVE-2026-45558 Roxy-WI: Authenticated RCE on every managed HAProxy load balancer via `option` field config injection in section save CWE-20 9.9 Critical2026-06-10
CVE-2026-45556 Roxy-WI: Authenticated arbitrary file write on every managed load balancer (and downstream RCE) via WAF rule save `config_file_name` CWE-20 9.9 Critical2026-06-10
CVE-2026-45550 Roxy-WI: IDOR on PUT /smon/check — any user can rewrite any tenant's monitoring URL/IP/body CWE-639 9.1 Critical2026-06-10
CVE-2026-45549 Roxy-WI: Authorization bypass on POST /smon/agent/action/<action> — guest can stop or restart smon-agent on any host CWE-862 8.5 High2026-06-10
CVE-2026-45552 Roxy-WI: Cross-tenant authorization bypass on /install/* — guest can run Ansible / SSH on every registered server CWE-639 9.9 Critical2026-06-10
CVE-2026-33208 Roxy-WI Vulnerable to Authenticated Remote Code Execution via OS Command Injection in find-in-config Endpoint CWE-78 8.8AIHighAI2026-04-24
CVE-2026-33078 Roxy-WI has SQL Injection in haproxy_section_save Endpoint via Unsanitized server_ip Parameter CWE-89 9.8AICriticalAI2026-04-24
CVE-2026-33077 Roxy-WI has an arbitrary file read vulnerability CWE-22 7.5AIHighAI2026-04-24
CVE-2026-33076 Roxy-WI vulnerable to path traversal and arbitrary file writing CWE-22 9.8AICriticalAI2026-04-24
CVE-2026-33432 Roxy-WI has Pre-Authentication LDAP Injection that Leads to Authentication Bypass CWE-287 7.5AIHighAI2026-04-20
CVE-2026-33431 Roxy-WI Vulnerable to Authenticated Arbitrary File Read via Path Traversal in Config Version Viewer CWE-24 8.1AIHighAI2026-04-20
CVE-2026-27811 Roxy-WI has a Command Injection via diff parameter in config comparison allows authenticated RCE CWE-77 8.8 High2026-03-17
CVE-2026-22265 Roxy-WI has a Command Injection via grep parameter in logs.py allows authenticated RCE CWE-78 7.5 High2026-01-15
CVE-2024-13129 Roxy-WI roxy.py action_service os command injection CWE-78 8.8 High2025-01-03
CVE-2024-43804 OS Command Injection via Port Scan Functionality in Roxy-WI CWE-78 8.8 High2024-08-29
CVE-2023-29004 Path Traversal Vulnerability in hap-wi/roxy-wi CWE-22 6.5 Medium2023-04-17
CVE-2023-25804 Roxy-WI vulnerable to Limited Path Traversal in name parameter CWE-22 7.5 High2023-03-15
CVE-2023-25802 Roxy-WI has Path Traversal vulnerability CWE-26 7.5 High2023-03-13
CVE-2023-25803 Roxy-WI 路径遍历漏洞 CWE-22 7.5 High2023-03-13
CVE-2022-31161 Roxy-WI Vulnerable to Unauthenticated Remote Code Execution via ssl_cert Upload CWE-77 10.0 Critical2022-07-15
CVE-2022-31137 Unauthenticated Remote Code Execution in Roxy-WI CWE-78 10.0 Critical2022-07-08

All 32 known CVE vulnerabilities affecting roxy-wi with full Chinese analysis, references, and POCs where available.