Skip to main content

Froxlor CVE-2026-41228

| EUVDEUVD-2026-25176 CRITICAL
PHP Remote File Inclusion (CWE-98)
2026-04-23 GitHub_M GHSA-w59f-67xm-rxx7
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Patch released
Apr 27, 2026 - 17:00 nvd
Patch available
Re-analysis Queued
Apr 23, 2026 - 16:27 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 06:47 vuln.today
Patch available
Apr 23, 2026 - 06:16 EUVD
CVSS changed
Apr 23, 2026 - 04:36 NVD
10.0 (CRITICAL) 9.9 (CRITICAL)
EUVD ID Assigned
Apr 23, 2026 - 04:00 euvd
EUVD-2026-25176
Analysis Generated
Apr 23, 2026 - 04:00 vuln.today
CVE Published
Apr 23, 2026 - 03:41 nvd
CRITICAL 9.9

DescriptionGitHub Advisory

Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint Customers.update (and Admins.update) does not validate the def_language parameter against the list of available language files. An authenticated customer can set def_language to a path traversal payload (e.g., ../../../../../var/customers/webs/customer1/evil), which is stored in the database. On subsequent requests, Language::loadLanguage() constructs a file path using this value and executes it via require, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.

AnalysisAI

Authenticated customers can achieve remote code execution in Froxlor server administration software versions prior to 2.3.6 through path traversal in the API's language parameter. By injecting malicious path traversal sequences into the def_language field via the Customers.update or Admins.update API endpoints, authenticated users can force the application to execute arbitrary PHP code as the web server user on subsequent requests. This vulnerability carries a CVSS score of 9.9 with scope change, indicating potential for full system compromise beyond the vulnerable component. Vendor-released patch version 2.3.6 addresses the vulnerability by implementing proper validation of language parameters against available language files.

Technical ContextAI

Froxlor is an open-source server administration panel written in PHP for managing web hosting environments. The vulnerability stems from improper limitation of pathname to a restricted directory (CWE-98), manifesting as a two-stage attack: first, an authenticated user exploits insufficient input validation in the API's Customers.update and Admins.update endpoints to store a malicious path traversal payload (e.g., ../../../../../var/customers/webs/customer1/evil) in the database's def_language field. Second, on subsequent application requests, the Language::loadLanguage() function constructs a file path by concatenating this untrusted database value and executes it using PHP's require statement, which both includes and executes the file as PHP code. This results in arbitrary code execution with the privileges of the web server user (typically www-data or apache), allowing attackers to write webshells, access sensitive data, or pivot to other hosted customer environments. The affected CPE cpe:2.3:a:froxlor:froxlor applies to all versions before 2.3.6.

RemediationAI

Upgrade immediately to Froxlor version 2.3.6 or later, available at https://github.com/froxlor/froxlor/releases/tag/2.3.6, which implements validation of the def_language parameter against the whitelist of available language files, preventing path traversal attacks. After upgrading, review database records for suspicious def_language values containing path traversal sequences (../, absolute paths, or references to customer web directories) and reset them to legitimate language codes. Organizations unable to upgrade immediately should implement strict Web Application Firewall (WAF) rules to block API requests to /api/v1/Customers.update and /api/v1/Admins.update containing def_language parameters with path traversal characters (../, .\, absolute paths), though this may break legitimate language changes and requires careful tuning. Alternatively, restrict API access to trusted IP ranges only via firewall rules, accepting that this prevents remote customer self-service functionality. Monitor web server access logs for unexpected PHP file executions in customer web directories. Review and rotate credentials for all customer and admin accounts, as credential compromise enables exploitation. Note that WAF and firewall mitigations reduce but do not eliminate risk, as authenticated attackers may find alternate injection vectors.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-41228 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy