Vulnerability Description
Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Froxlor | Froxlor | < 2.3.6 |
Related Weaknesses (CWE)
References
- https://github.com/froxlor/froxlor/commit/3589ddf93ab59eb2a8971f0f56cbf6266d03c4Patch
- https://github.com/froxlor/froxlor/releases/tag/2.3.6Release Notes
- https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8ExploitVendor AdvisoryMitigation
- https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8ExploitVendor AdvisoryMitigation
FAQ
What is CVE-2026-41229?
CVE-2026-41229 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quo...
How severe is CVE-2026-41229?
CVE-2026-41229 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-41229?
Check the references section above for vendor advisories and patch information. Affected products include: Froxlor Froxlor.