Skip to main content

Froxlor CVE-2026-26279

CRITICAL
OS Command Injection (CWE-78)
2026-03-03 security-advisories@github.com GHSA-33mp-8p67-xj7c
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 22:05 vuln.today
PoC Detected
Mar 05, 2026 - 21:19 vuln.today
Public exploit code
Patch released
Mar 05, 2026 - 21:19 nvd
Patch available
CVE Published
Mar 03, 2026 - 23:15 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.

AnalysisAI

Command injection in Froxlor server admin before 2.3.4 due to typo (== instead of =) disabling input validation entirely. PoC and patch available.

Technical ContextAI

CWE-78. A comparison typo (== vs =) completely disables input validation.

RemediationAI

Update to 2.3.4.

CVE-2023-0315 HIGH POC
8.8 Jan 16

Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8. Rated high severity (CVSS 8.8), this vulnerabilit

CVE-2023-3173 CRITICAL POC
9.8 Jun 09

Improper Restriction of Excessive Authentication Attempts in GitHub repository froxlor/froxlor prior to 2.0.20. Rated cr

CVE-2023-1307 CRITICAL POC
9.8 Mar 10

Authentication Bypass by Primary Weakness in GitHub repository froxlor/froxlor prior to 2.0.13. Rated critical severity

CVE-2021-42325 CRITICAL POC
9.8 Oct 12

Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name. Rated critic

CVE-2023-6069 HIGH POC
8.8 Nov 10

Improper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0. Rated high severity (CV

CVE-2023-2034 HIGH POC
8.8 Apr 14

Unrestricted Upload of File with Dangerous Type in GitHub repository froxlor/froxlor prior to 2.0.14. Rated high severit

CVE-2023-1033 HIGH POC
8.8 Feb 25

Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.11. Rated high severity (CVSS 8.8),

CVE-2023-0877 HIGH POC
8.8 Feb 17

Code Injection in GitHub repository froxlor/froxlor prior to 2.0.11. Rated high severity (CVSS 8.8), this vulnerability

CVE-2023-0671 HIGH POC
8.8 Feb 04

Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10. Rated high severity (CVSS 8.8), this vulnerability

CVE-2020-10235 HIGH POC
8.8 Mar 09

An issue was discovered in Froxlor before 0.10.14. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2023-50256 HIGH POC
7.5 Jan 03

Froxlor is open source server administration software. Rated high severity (CVSS 7.5), this vulnerability is remotely ex

CVE-2023-0564 HIGH POC
7.5 Jan 29

Weak Password Requirements in GitHub repository froxlor/froxlor prior to 2.0.10. Rated high severity (CVSS 7.5), this vu

Share

CVE-2026-26279 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy