CVE-2026-45566
Roxy-WI: Open redirect on /login?next= via basic-auth userinfo syntax bypass
CVSS Score
6.1
EPSS Score
0.0%
EPSS Percentile
0th
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://{request.host}{next_url} and the JS client redirects via window.location.replace(). The block does not consider the userinfo@host syntax. [email protected]/path produces https://[email protected]/path, which all modern browsers route to evil.example. At time of publication, there are no publicly available patches.
| CWE | CWE-601 |
| Vendor | roxy-wi |
| Product | roxy-wi |
| Published | Jun 10, 2026 |
| Last Updated | Jun 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for roxy-wi roxy-wi
Be the first to know when new medium vulnerabilities affecting roxy-wi roxy-wi are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
roxy-wi / roxy-wi
<= 8.2.6.4