Froxlor Critical RCE: Unsanitized Admin Input Leads to Persistent Code Execution
The National Vulnerability Database has disclosed CVE-2026-41229, a critical remote code execution (RCE) vulnerability in Froxlor, an open-source server administration software. Prior to version 2.3.6, the PhpHelper::parseArrayToString() function fails to properly escape single quotes when writing string values into PHP string literals.
This flaw becomes exploitable when an administrator with change_serversettings permission adds or updates a MySQL server via the API. The privileged_user parameter, which lacks input validation, is written unescaped into lib/userdata.inc.php. Since this file is required on every request via Database::getDB(), an attacker can inject arbitrary PHP code. This code then executes as the web server user on every subsequent page load, granting persistent control.
With a CVSS score of 9.1 (CRITICAL), this vulnerability represents a severe threat. It allows for complete system compromise and persistent access. Defenders running Froxlor instances must prioritize patching to version 2.3.6 immediately to prevent attackers from establishing a backdoor on their web servers. The attacker’s calculus here is simple: leverage administrative access to achieve silent, persistent RCE.
What This Means For You
- If your organization uses Froxlor for server administration, you are exposed to critical RCE. Check your Froxlor version immediately. You must patch to version 2.3.6 or newer to mitigate CVE-2026-41229. After patching, audit `lib/userdata.inc.php` for any unauthorized code injection, as persistent backdoors could already be in place.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41229 - Froxlor Unsanitized Admin Input for MySQL Server Settings
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41229 | RCE | Froxlor < 2.3.6 |
| CVE-2026-41229 | Code Injection | Froxlor PhpHelper::parseArrayToString() function |
| CVE-2026-41229 | Code Injection | Froxlor API 'privileged_user' parameter |
| CVE-2026-41229 | Code Injection | Froxlor lib/userdata.inc.php file |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 23, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-41990 — Libgcrypt before 1.12.2 mishandles Dilithium signing.
CVE-2026-41990 — Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.
CVE-2026-41989 — Buffer Overflow
CVE-2026-41989 — Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.
CVE-2026-41233 — Froxlor is open source server administration software.
CVE-2026-41233 — Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used...