CVE-2026-45566

Roxy-WI: Open redirect on /login?next= via basic-auth userinfo syntax bypass

CVSS 6.1 MEDIUMEPSS 0.2%CWE-601

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.1EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

10 Jun 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://{request.host}{next_url} and the JS client redirects via window.location.replace(). The block does not consider the userinfo@host syntax. next=@evil.example/path produces https://victim.example@evil.example/path, which all modern browsers route to evil.example. At time of publication, there are no publicly available patches.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

roxy-wi · roxy-wi

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-xw9x-68gg-mp5h