Vulnerability Description
Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin's `domains_used` counter is incremented) and potentially exhausting another admin's quota. Version 2.3.6 fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Froxlor | Froxlor | < 2.3.6 |
Related Weaknesses (CWE)
References
- https://github.com/froxlor/froxlor/commit/bf47ba15329506e9f9662f9462463932aa80dfPatch
- https://github.com/froxlor/froxlor/releases/tag/2.3.6Release Notes
- https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4ExploitVendor AdvisoryMitigation
- https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4ExploitVendor AdvisoryMitigation
FAQ
What is CVE-2026-41233?
CVE-2026-41233 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling rese...
How severe is CVE-2026-41233?
CVE-2026-41233 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41233?
Check the references section above for vendor advisories and patch information. Affected products include: Froxlor Froxlor.