CVE-2026-45563

{"id": "CVE-2026-45563", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-06-10T15:16:37.167", "references": [{"url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9", "source": "security-advisories@github.com"}, {"url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user \u2014 even a guest in an unrelated group \u2014 can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches."}], "lastModified": "2026-06-10T19:37:41.437", "sourceIdentifier": "security-advisories@github.com"}