CVE-2026-45563EPSS p7.2%

CVE-2026-45563CVE-2026-45563

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user — even a guest in an unrelated group — can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches.

Scoring

CVSS 4.3 ()
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS0.18% probability of exploitation · percentile 7.2% · 2026-06-19T12:03:05Z
Last modified2026-06-10

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-45567
CVE
CVE-2026-45566
CVE
CVE-2026-45564
CVE
CVE-2026-45552
CVE
CVE-2026-45558
CVE
CVE-2026-45549
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.