Main Vulnerability Database Vulnerabilities #VU131617

Input validation error in Roxy-WI - CVE-2026-45565

Published: May 16, 2026

Vulnerability identifier: #VU131617

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-45565

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Roxy-WI

Affected software:
Roxy-WI

Detailed vulnerability description

The vulnerability allows a remote user to write arbitrary files and execute arbitrary code.

The vulnerability exists due to improper input validation in the EscapedString validator when processing user-supplied string fields containing path traversal sequences together with metacharacters. A remote user can supply a specially crafted value to write arbitrary files and execute arbitrary code.

The issue occurs because the validator's strip branch returns the modified value before enforcing the '..' check and without applying shell quoting.

How to mitigate CVE-2026-45565

Install security update from vendor's website.

Sources

https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-7qm8-cm8p-9rx3

Input validation error in Roxy-WI - CVE-2026-45565

Detailed vulnerability description

How to mitigate CVE-2026-45565

Sources

Please verify you're human