CRITICAL🇵🇱 Wersja polska

CVE-2026-41228

CVSS 9.9v3.1pub. 2026-04-23upd. 2026-04-27

Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.

🤖 AI Analysis
How it works

The API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against a list of available language files. An authenticated user can pass a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`) as the value of this parameter, which is then stored in the database. On subsequent requests, the `Language::loadLanguage()` function constructs the file path based on this value and executes it with the `require` instruction, leading to arbitrary PHP code execution as the web server process user.

Impact

An attacker can execute arbitrary PHP code on the server with the privileges of the web server user, which in practice means complete takeover of the application, access to customer data, and potential lateral movement in the hosting infrastructure.

Mitigation & patch

Froxlor should be updated to version 2.3.6, which introduces validation of the `def_language` parameter against a list of available language files. The patch is available in the manufacturer's GitHub repository (commit bc5e6dbaa90e6f3573129da640595e8c770e1d0c) and in release 2.3.6.

Who is affected

Froxlor in all versions before 2.3.6

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Froxlor

    APP
    Froxlor
    < 2.3.6
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2026-41229CRITICAL9.1PL ✓ten sam produkt

Froxlor: wstrzyknięcie kodu PHP przez nieskonfigurowany parametr MySQL

CVE-2026-26279CRITICAL9.1PL ✓ten sam produkt

RCE z uprawnieniami root w Froxlor przez błąd walidacji pól e-mail

CVE-2023-6069CRITICAL9.9ten sam produkt

Improper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0.

CVE-2023-3173CRITICAL9.8ten sam produkt

Improper Restriction of Excessive Authentication Attempts in GitHub repository froxlor/froxlor prior to 2.0.20...

CVE-2023-1307CRITICAL9.8ten sam produkt

Authentication Bypass by Primary Weakness in GitHub repository froxlor/froxlor prior to 2.0.13.