Skip to main content

Froxlor EUVDEUVD-2026-25178

| CVE-2026-41229 CRITICAL
Code Injection (CWE-94)
2026-04-23 GitHub_M GHSA-gc9w-cc93-rjv8
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch released
Apr 27, 2026 - 17:00 nvd
Patch available
Re-analysis Queued
Apr 23, 2026 - 13:22 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 06:44 vuln.today
Patch available
Apr 23, 2026 - 06:16 EUVD
EUVD ID Assigned
Apr 23, 2026 - 04:00 euvd
EUVD-2026-25178
Analysis Generated
Apr 23, 2026 - 04:00 vuln.today
CVE Published
Apr 23, 2026 - 03:44 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

Froxlor is open source server administration software. Prior to version 2.3.6, PhpHelper::parseArrayToString() writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with change_serversettings permission adds or updates a MySQL server via the API, the privileged_user parameter (which has no input validation) is written unescaped into lib/userdata.inc.php. Since this file is required on every request via Database::getDB(), an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch.

AnalysisAI

Remote code execution in Froxlor server administration software versions prior to 2.3.6 allows authenticated administrators with change_serversettings permission to inject arbitrary PHP code through an unescaped MySQL server configuration parameter. The vulnerability enables persistent code execution on every subsequent HTTP request as the web server user due to improper input sanitization in PhpHelper::parseArrayToString(). Vendor patch available in version 2.3.6. CVSS score of 9.1 reflects the critical impact despite requiring high-privilege authentication, with scope change indicating the attacker can break out of the application's security context.

Technical ContextAI

Froxlor is an open-source server administration panel written in PHP for managing web hosting environments. The vulnerability exists in the PhpHelper::parseArrayToString() function which generates PHP code for configuration files. When processing MySQL server settings via the API endpoint, the function writes the privileged_user parameter value into single-quoted PHP string literals in lib/userdata.inc.php without escaping single quote characters. This configuration file is required on every request through the Database::getDB() initialization path, making any injected code persistent and executed on all subsequent page loads. The root cause is CWE-94 (Improper Control of Generation of Code - Code Injection), specifically a failure to neutralize special characters in data used to construct executable PHP code. The affected product CPE is cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*, with all versions before 2.3.6 vulnerable.

RemediationAI

Upgrade to Froxlor version 2.3.6 immediately, available at https://github.com/froxlor/froxlor/releases/tag/2.3.6. The fix implemented in commit 3589ddf93ab59eb2a8971f0f56cbf6266d03c4ae adds proper single-quote escaping in PhpHelper::parseArrayToString(). For environments where immediate patching is not possible, implement compensating controls: restrict change_serversettings permission to only fully trusted administrator accounts, audit lib/userdata.inc.php for suspicious PHP code patterns, monitor admin API access logs for MySQL server configuration changes, and consider deploying web application firewall rules to inspect API requests to MySQL server management endpoints for code injection patterns (note this provides detection not prevention since the API may legitimately contain special characters). After upgrading, regenerate lib/userdata.inc.php by re-saving MySQL server settings to ensure no malicious code persists from prior exploitation. Review web server access logs and application logs for unusual admin activity during the vulnerable period.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-25178 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy