Vulnerability Description
Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Froxlor | Froxlor | < 2.3.6 |
Related Weaknesses (CWE)
References
- https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1dPatch
- https://github.com/froxlor/froxlor/releases/tag/2.3.6Release Notes
- https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7ExploitVendor AdvisoryMitigation
- https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7ExploitVendor AdvisoryMitigation
FAQ
What is CVE-2026-41228?
CVE-2026-41228 is a vulnerability with a CVSS score of 9.9 (CRITICAL). Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against ...
How severe is CVE-2026-41228?
CVE-2026-41228 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-41228?
Check the references section above for vendor advisories and patch information. Affected products include: Froxlor Froxlor.