Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
Froxlor is open source server administration software. Prior to version 2.3.6, PhpHelper::parseArrayToString() writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with change_serversettings permission adds or updates a MySQL server via the API, the privileged_user parameter (which has no input validation) is written unescaped into lib/userdata.inc.php. Since this file is required on every request via Database::getDB(), an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch.
AnalysisAI
Remote code execution in Froxlor server administration software versions prior to 2.3.6 allows authenticated administrators with change_serversettings permission to inject arbitrary PHP code through an unescaped MySQL server configuration parameter. The vulnerability enables persistent code execution on every subsequent HTTP request as the web server user due to improper input sanitization in PhpHelper::parseArrayToString(). Vendor patch available in version 2.3.6. CVSS score of 9.1 reflects the critical impact despite requiring high-privilege authentication, with scope change indicating the attacker can break out of the application's security context.
Technical ContextAI
Froxlor is an open-source server administration panel written in PHP for managing web hosting environments. The vulnerability exists in the PhpHelper::parseArrayToString() function which generates PHP code for configuration files. When processing MySQL server settings via the API endpoint, the function writes the privileged_user parameter value into single-quoted PHP string literals in lib/userdata.inc.php without escaping single quote characters. This configuration file is required on every request through the Database::getDB() initialization path, making any injected code persistent and executed on all subsequent page loads. The root cause is CWE-94 (Improper Control of Generation of Code - Code Injection), specifically a failure to neutralize special characters in data used to construct executable PHP code. The affected product CPE is cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*, with all versions before 2.3.6 vulnerable.
RemediationAI
Upgrade to Froxlor version 2.3.6 immediately, available at https://github.com/froxlor/froxlor/releases/tag/2.3.6. The fix implemented in commit 3589ddf93ab59eb2a8971f0f56cbf6266d03c4ae adds proper single-quote escaping in PhpHelper::parseArrayToString(). For environments where immediate patching is not possible, implement compensating controls: restrict change_serversettings permission to only fully trusted administrator accounts, audit lib/userdata.inc.php for suspicious PHP code patterns, monitor admin API access logs for MySQL server configuration changes, and consider deploying web application firewall rules to inspect API requests to MySQL server management endpoints for code injection patterns (note this provides detection not prevention since the API may legitimately contain special characters). After upgrading, regenerate lib/userdata.inc.php by re-saving MySQL server settings to ensure no malicious code persists from prior exploitation. Review web server access logs and application logs for unusual admin activity during the vulnerable period.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25178
GHSA-gc9w-cc93-rjv8