Critical Froxlor Bug: Authenticated Code Execution via Language File Path Traversal
The National Vulnerability Database has disclosed CVE-2026-41228, a critical vulnerability in Froxlor, an open-source server administration software. Prior to version 2.3.6, the Customers.update and Admins.update API endpoints fail to properly validate the def_language parameter. This oversight allows an authenticated user to inject a path traversal payload, such as ../../../../../var/customers/webs/customer1/evil, which is then stored in the database.
Subsequent requests trigger Language::loadLanguage(), which constructs a file path using the malicious def_language value. This path is then executed via require, leading to arbitrary PHP code execution under the privileges of the web server user. The National Vulnerability Database assigns this a CVSS score of 9.9 (CRITICAL), highlighting the severe impact and ease of exploitation.
This flaw represents a direct path to full system compromise for attackers who gain even low-level authenticated access. Defenders running Froxlor instances must prioritize patching to version 2.3.6 immediately. The attacker’s calculus here is simple: leverage a common web vulnerability pattern (path traversal leading to arbitrary file inclusion) to achieve maximum impact with minimal effort once inside the perimeter. It’s a direct route to persistence and data exfiltration.
What This Means For You
- If your organization uses Froxlor for server administration, you are directly exposed to arbitrary PHP code execution. This is not theoretical; an authenticated attacker can own your server. Patch to Froxlor version 2.3.6 immediately. Review your Froxlor deployment logs for any suspicious `def_language` parameter changes or unexpected file access patterns, as this could indicate an ongoing compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41228 - Froxlor Authenticated Path Traversal in Language Parameter
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41228 | RCE | Froxlor API endpoint `Customers.update` |
| CVE-2026-41228 | RCE | Froxlor API endpoint `Admins.update` |
| CVE-2026-41228 | Path Traversal | Froxlor prior to version 2.3.6 |
| CVE-2026-41228 | Code Injection | Froxlor `def_language` parameter |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 23, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-41990 — Libgcrypt before 1.12.2 mishandles Dilithium signing.
CVE-2026-41990 — Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.
CVE-2026-41989 — Buffer Overflow
CVE-2026-41989 — Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.
CVE-2026-41233 — Froxlor is open source server administration software.
CVE-2026-41233 — Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used...