MEDIUM 6.1

CVE-2026-45560: Stored XSS in Roxy-WI Log Viewer – Load Balancer Admin Compromise Risk

Roxy-WI, a web-based management console for load balancers and web servers, contains a stored cross-site scripting (XSS) vulnerability in its log viewer. The vulnerability exists because the application builds HTML pages by concatenating user-controlled log data without sanitization. An attacker who can generate traffic through a managed load balancer—such as by making HTTP requests to a public-facing application—can inject malicious scripts into access logs. When an administrator opens the log viewer in Roxy-WI, the injected payload executes in their browser with the privileges of that user. This is a supply-chain risk: any internet-facing service behind a Roxy-WI-managed load balancer becomes a potential injection point.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
0 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrap_line (app/modules/common/common.py:181-186) and highlight_word (app/modules/common/common.py:188-192) build raw HTML by string concatenation with no escaping. The frontend (app/static/js/script.js, log-viewer paths) uses .html(data) / .append(data) to inject the response body. Anyone able to write a line into a managed HAProxy/Nginx access log (i.e. anyone who can send an HTTP request to the public LB) can land an <svg/onload=…> payload that executes when a Roxy-WI admin opens the log viewer. At time of publication, there are no publicly available patches.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability spans two functions in app/modules/common/common.py (wrap_line and highlight_word) that construct HTML output via string concatenation without output encoding. The frontend then injects this unsafe HTML into the DOM using jQuery's .html() and .append() methods on log-viewer UI elements. The attack flow is: (1) attacker sends a crafted HTTP request containing SVG/JavaScript payload in the User-Agent, Referer, or request path; (2) the payload is logged verbatim by HAProxy/Nginx to the access log; (3) Roxy-WI admin opens the log viewer; (4) the application fetches and renders the log, injecting the payload into the page; (5) the browser executes the embedded script in the admin's session context. The vulnerability is classified as stored XSS (CWE-79) because the payload persists in the log file, not just in a request parameter. Affected versions: 8.2.6.4 and prior.

Business impact

Compromise of an admin account managing critical load balancer or web server infrastructure can lead to service disruption, traffic redirection, SSL certificate manipulation, or access to upstream server configurations. Roxy-WI often manages production ingress layers (HAProxy, Nginx), making account takeover particularly damaging. The attack requires no special network access—any public-facing service behind the load balancer is a pivot point. Organizations using Roxy-WI in multi-tenant or high-availability environments face elevated risk if administrators routinely review logs. Incident response overhead is also significant: distinguishing legitimate log entries from injected payloads and audit trail contamination.

Affected systems

Roxy-WI versions 8.2.6.4 and earlier are vulnerable. The impact depends on what services are fronted by Roxy-WI-managed load balancers: any HTTP/HTTPS-capable backend that logs request metadata (User-Agent, Referer, URI, X-Forwarded-For, etc.) can be exploited as an injection vector. HAProxy and Nginx are explicitly named; Apache and Keepalived may also be affected if their logs are viewable through Roxy-WI's interface. At publication, no patched version is publicly available; verify with the vendor for remediation timeline.

Exploitability

Exploitability is moderate. The attack requires: (1) ability to send HTTP requests to a service behind the managed load balancer (no authentication or special privileges needed); (2) the load balancer to log the attacker's request metadata; (3) an admin to open the log viewer in Roxy-WI. Weaponization is straightforward—a simple HTTP request with a payload in the User-Agent header is sufficient. No complex interaction or race conditions are required. Proof of concept is feasible but not publicly disclosed at this time. The CVSS score of 6.1 (Medium) reflects the requirement for user interaction (admin opening the log viewer) and the lack of confidentiality or availability impact, though integrity impact is clear.

Remediation

Immediate: restrict access to Roxy-WI's web interface to trusted networks and require strong authentication. Review logs for evidence of injected payloads (look for <svg, <img, onerror=, onload=, javascript: in log lines). Long-term: upgrade to a patched version when available. For defense-in-depth, configure HAProxy/Nginx to sanitize or limit log content (e.g., truncate User-Agent, encode special characters), though this is not a primary fix. Web application firewalls (WAF) in front of Roxy-WI can block requests with obvious script injection patterns, but are not sufficient standalone. Validate against vendor advisory for exact patch version and deployment guidance.

Patch guidance

No patches are currently available at the time of publication (2026-06-10). Monitor the Roxy-WI project repository or vendor security advisories for a release. When patching becomes available, it should include output encoding in wrap_line and highlight_word functions, and conversion of .html() calls to .text() or use of a templating engine with automatic escaping. Do not apply patches from unofficial sources. Test patches in a non-production environment before deployment, as Roxy-WI manages critical infrastructure.

Detection guidance

Monitor Roxy-WI access logs for requests containing common XSS payloads in User-Agent, Referer, or URI (e.g., <svg, <img, onerror, onload, javascript:). Implement alerting on Roxy-WI's own logs for unusual admin activity: rapid log-viewer requests, access from unexpected IPs, or concurrent sessions. If EDR is deployed on admin workstations, look for unexpected script execution or DOM manipulation originating from the Roxy-WI domain. Check web server logs feeding into Roxy-WI for suspicious injection attempts. Correlation: if you see a spike in requests with XSS-like payloads to a backend service, cross-reference when admins accessed the log viewer—this can confirm exploitation attempts.

Why prioritize this

Although the CVSS score is Medium (6.1), the vulnerability warrants urgent attention because: (1) Roxy-WI manages mission-critical load-balancer infrastructure; (2) the attack surface is internet-facing (any HTTP client can inject); (3) no patch is available yet, limiting immediate remediation; (4) admin account compromise can have cascading impact on multiple backend services. Organizations should treat this as a high-priority configuration and access-control issue even if the base vulnerability score is moderate.

Risk score, explained

CVSS 3.1 score of 6.1 (Medium severity) is driven by: Network-accessible attack vector (AV:N, +10 points), low complexity (AC:L, no special conditions), no privilege requirement (PR:N), and user interaction necessary (UI:R, the admin must open the log viewer). Scope is changed (S:C, the XSS payload executes in the admin's browser session, affecting the confidentiality and integrity of Roxy-WI's functions). Confidentiality and integrity impacts are low (C:L, I:L) because the attacker gains read/write access to what the admin can see/do in Roxy-WI, but availability is unaffected (A:N). The score does not account for the criticality of the assets managed by Roxy-WI; supplementary risk assessment is recommended.

Frequently asked questions

Can this be exploited if Roxy-WI is air-gapped or behind a firewall?

Only if the managed load balancers themselves are internet-facing or receive traffic from untrusted networks. An attacker needs to inject a payload into the logs of a load balancer managed by Roxy-WI. If all backend services are strictly internal and the administrator never opens the log viewer, the practical risk is lower—but you should assume admins will eventually review logs.

Does enabling HTTPS on Roxy-WI help prevent this vulnerability?

HTTPS encrypts traffic between the admin and Roxy-WI but does not prevent the XSS attack itself. The vulnerability is in how Roxy-WI renders log data client-side, not in network transport. The injected payload is already in the log file and will be rendered regardless of whether the connection is encrypted.

What if we disable the log viewer feature entirely?

Disabling the log viewer would eliminate the attack vector for this specific CVE, but it removes a key operational feature of Roxy-WI. A more practical interim control is restricting who can access the Roxy-WI interface and ensuring only trusted admins can view logs. Implement IP-based access controls or multi-factor authentication if available.

Will a WAF protect us from this?

A WAF in front of Roxy-WI itself will not prevent this attack because the malicious payload is not in the request to Roxy-WI—it's injected via requests to the backend services, logged, and then rendered later. A WAF on the backend services *could* block obvious XSS payloads in requests, reducing log pollution, but this is defense-in-depth, not a cure. The root cause—unsafe rendering of log data—must be fixed in Roxy-WI.

This analysis is provided for informational purposes and does not constitute legal or professional security advice. No exploit code or weaponized proof-of-concepts are provided herein. Vulnerability data and timelines are current as of the publication date; verify all information against official vendor advisories and security bulletins before deploying patches or mitigations. Organizations should conduct independent risk assessments based on their network architecture, asset criticality, and exposure. No guarantee is made regarding the completeness or accuracy of detection signatures, remediation steps, or patch availability. Always test changes in a controlled environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).