Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionGitHub Advisory
Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint Customers.update (and Admins.update) does not validate the def_language parameter against the list of available language files. An authenticated customer can set def_language to a path traversal payload (e.g., ../../../../../var/customers/webs/customer1/evil), which is stored in the database. On subsequent requests, Language::loadLanguage() constructs a file path using this value and executes it via require, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.
AnalysisAI
Authenticated customers can achieve remote code execution in Froxlor server administration software versions prior to 2.3.6 through path traversal in the API's language parameter. By injecting malicious path traversal sequences into the def_language field via the Customers.update or Admins.update API endpoints, authenticated users can force the application to execute arbitrary PHP code as the web server user on subsequent requests. This vulnerability carries a CVSS score of 9.9 with scope change, indicating potential for full system compromise beyond the vulnerable component. Vendor-released patch version 2.3.6 addresses the vulnerability by implementing proper validation of language parameters against available language files.
Technical ContextAI
Froxlor is an open-source server administration panel written in PHP for managing web hosting environments. The vulnerability stems from improper limitation of pathname to a restricted directory (CWE-98), manifesting as a two-stage attack: first, an authenticated user exploits insufficient input validation in the API's Customers.update and Admins.update endpoints to store a malicious path traversal payload (e.g., ../../../../../var/customers/webs/customer1/evil) in the database's def_language field. Second, on subsequent application requests, the Language::loadLanguage() function constructs a file path by concatenating this untrusted database value and executes it using PHP's require statement, which both includes and executes the file as PHP code. This results in arbitrary code execution with the privileges of the web server user (typically www-data or apache), allowing attackers to write webshells, access sensitive data, or pivot to other hosted customer environments. The affected CPE cpe:2.3:a:froxlor:froxlor applies to all versions before 2.3.6.
RemediationAI
Upgrade immediately to Froxlor version 2.3.6 or later, available at https://github.com/froxlor/froxlor/releases/tag/2.3.6, which implements validation of the def_language parameter against the whitelist of available language files, preventing path traversal attacks. After upgrading, review database records for suspicious def_language values containing path traversal sequences (../, absolute paths, or references to customer web directories) and reset them to legitimate language codes. Organizations unable to upgrade immediately should implement strict Web Application Firewall (WAF) rules to block API requests to /api/v1/Customers.update and /api/v1/Admins.update containing def_language parameters with path traversal characters (../, .\, absolute paths), though this may break legitimate language changes and requires careful tuning. Alternatively, restrict API access to trusted IP ranges only via firewall rules, accepting that this prevents remote customer self-service functionality. Monitor web server access logs for unexpected PHP file executions in customer web directories. Review and rotate credentials for all customer and admin accounts, as credential compromise enables exploitation. Note that WAF and firewall mitigations reduce but do not eliminate risk, as authenticated attackers may find alternate injection vectors.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-98 – PHP Remote File Inclusion
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25176
GHSA-w59f-67xm-rxx7