Froxlor
CVE-2026-26279
CRITICAL
Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.
AnalysisAI
Command injection in Froxlor server admin before 2.3.4 due to typo (== instead of =) disabling input validation entirely. PoC and patch available.
Technical ContextAI
CWE-78. A comparison typo (== vs =) completely disables input validation.
RemediationAI
Update to 2.3.4.
Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8. Rated high severity (CVSS 8.8), this vulnerabilit
Improper Restriction of Excessive Authentication Attempts in GitHub repository froxlor/froxlor prior to 2.0.20. Rated cr
Authentication Bypass by Primary Weakness in GitHub repository froxlor/froxlor prior to 2.0.13. Rated critical severity
Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name. Rated critic
Improper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0. Rated high severity (CV
Unrestricted Upload of File with Dangerous Type in GitHub repository froxlor/froxlor prior to 2.0.14. Rated high severit
Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.11. Rated high severity (CVSS 8.8),
Code Injection in GitHub repository froxlor/froxlor prior to 2.0.11. Rated high severity (CVSS 8.8), this vulnerability
Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10. Rated high severity (CVSS 8.8), this vulnerability
An issue was discovered in Froxlor before 0.10.14. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
Froxlor is open source server administration software. Rated high severity (CVSS 7.5), this vulnerability is remotely ex
Weak Password Requirements in GitHub repository froxlor/froxlor prior to 2.0.10. Rated high severity (CVSS 7.5), this vu
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-33mp-8p67-xj7c