Skip to main content

Froxlor EUVD-2026-25188

| CVE-2026-41233 MEDIUM
Incorrect Authorization (CWE-863)
2026-04-23 GitHub_M
Authentication Bypass Froxlor
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 16:59 nvd
Patch available
Analysis Generated
Apr 23, 2026 - 07:02 vuln.today
Patch available
Apr 23, 2026 - 06:16 EUVD
EUVD ID Assigned
Apr 23, 2026 - 05:00 euvd
EUVD-2026-25188
Analysis Generated
Apr 23, 2026 - 05:00 vuln.today
CVE Published
Apr 23, 2026 - 04:00 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add(), the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customers_see_all permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin's domains_used counter is incremented) and potentially exhausting another admin's quota. Version 2.3.6 fixes the issue.

AnalysisAI

Froxlor versions prior to 2.3.6 allow authenticated resellers to bypass domain quota restrictions by attributing newly created domains to arbitrary admins through unvalidated adminid parameter input in the Domains.add() function. This vulnerability enables quota exhaustion attacks against other administrators and domain creation beyond the attacker's assigned limits, with confirmed patch availability in version 2.3.6.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as reseller
Delivery
Call Domains.add() API
Exploit
Submit arbitrary adminid parameter
Execution
Bypass quota validation
Persist
Increment target admin's domain counter
Impact
Exhaust target admin quota
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires authenticated access to Froxlor with the role of a reseller (PR:L from CVSS vector indicates authenticated but non-administrative user). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This vulnerability presents moderate but actionable risk despite its CVSS 5.4 score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated reseller with legitimate access to Froxlor's API logs in and calls the `Domains.add()` function. Instead of specifying their own `adminid`, they supply the `adminid` of a competing administrator. …
Remediation Vendor-released patch: Froxlor 2.3.6. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-25188 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy