Michael Kaufmann - Security Researcher - Exploit Intelligence Platform

CVE-2026-41228 WRITEUP CRITICAL WRITEUP

Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to Remote Code Execution

Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.

CVSS 9.9

View Code

CVE-2026-41229 WRITEUP CRITICAL WRITEUP

Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)

Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch.

CVSS 9.1

View Code

CVE-2026-41230 WRITEUP HIGH WRITEUP

Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()

Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file. Version 2.3.6 fixes the issue.

CVSS 8.5

View Code

CVE-2026-41231 WRITEUP HIGH WRITEUP

Froxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownership Takeover via Cron

Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix.

CVSS 7.5

View Code

CVE-2026-41232 WRITEUP MEDIUM WRITEUP

Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index that Allows Cross-Customer Email Spoofing

Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's `sender_login_maps` then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue.

CVSS 5.0

View Code

CVE-2026-41233 WRITEUP MEDIUM WRITEUP

Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()

Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin's `domains_used` counter is incremented) and potentially exhausting another admin's quota. Version 2.3.6 fixes the issue.

CVSS 5.4

View Code

CVE-2026-30932 WRITEUP HIGH WRITEUP

Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5.

CVSS 8.8

View Code

CVE-2026-26279 WRITEUP CRITICAL WRITEUP

Froxlor <2.3.4 - Command Injection

Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.

CVSS 9.1

View Code

CVE-2018-12642 WRITEUP HIGH WRITEUP

Froxlor <0.9.39.5 - Privilege Escalation

Froxlor through 0.9.39.5 has Incorrect Access Control for tickets not owned by the current user.

CVSS 7.5

View Code

CVE-2020-10235 WRITEUP HIGH WRITEUP

Froxlor <0.10.14 - RCE

An issue was discovered in Froxlor before 0.10.14. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, because of _backupExistingDatabase in install/lib/class.FroxlorInstall.php.

CVSS 8.8

View Code

CVE-2020-10236 WRITEUP MEDIUM WRITEUP

Froxlor < 0.10.14 - Improper Input Validation

An issue was discovered in Froxlor before 0.10.14. It created files with static names in /tmp during installation if the installation directory was not writable. This allowed local attackers to cause DoS or disclose information out of the config files, because of _createUserdataConf in install/lib/class.FroxlorInstall.php.

CVSS 6.1

View Code

CVE-2022-3017 WRITEUP MEDIUM WRITEUP

froxlor/froxlor <0.10.38 - CSRF

Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 0.10.38.

CVSS 6.5

View Code

CVE-2022-3721 WRITEUP MEDIUM WRITEUP

Froxlor < 0.10.39 - Code Injection

Code Injection in GitHub repository froxlor/froxlor prior to 0.10.39.

CVSS 4.6

View Code

CVE-2022-3869 WRITEUP MEDIUM WRITEUP

froxlor/froxlor <0.10.38.2 - Code Injection

Code Injection in GitHub repository froxlor/froxlor prior to 0.10.38.2.

CVSS 6.1

View Code

CVE-2022-4864 WRITEUP MEDIUM WRITEUP

froxlor/froxlor <2.0.0-beta1 - Command Injection

Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.

CVSS 5.4

View Code

CVE-2022-4867 WRITEUP MEDIUM WRITEUP

froxlor/froxlor <2.0.0-beta1 - CSRF

Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.

CVSS 4.3

View Code

CVE-2022-4868 WRITEUP MEDIUM WRITEUP

GitHub froxlor/froxlor <2.0.0-beta1 - Info Disclosure

Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.

CVSS 4.3

View Code

CVE-2023-0316 WRITEUP MEDIUM WRITEUP

froxlor/froxlor <2.0.0 - Path Traversal

Path Traversal: '\..\filename' in GitHub repository froxlor/froxlor prior to 2.0.0.

CVSS 5.5

View Code

CVE-2023-0564 WRITEUP MEDIUM WRITEUP

GitHub froxlor/froxlor <2.0.10 - Info Disclosure

Weak Password Requirements in GitHub repository froxlor/froxlor prior to 2.0.10.

CVSS 5.4

View Code

CVE-2023-0565 WRITEUP MEDIUM WRITEUP

froxlor/froxlor <2.0.10 - Info Disclosure

Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.10.

CVSS 5.5

View Code

CVE-2023-0566 WRITEUP MEDIUM WRITEUP

Froxlor < 2.0.10 - XSS

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in froxlor/froxlor prior to 2.0.10.

CVSS 6.2

View Code

CVE-2023-0572 WRITEUP MEDIUM WRITEUP

GitHub froxlor/froxlor <2.0.10 - Info Disclosure

Unchecked Error Condition in GitHub repository froxlor/froxlor prior to 2.0.10.

CVSS 5.3

View Code

CVE-2023-0671 WRITEUP HIGH WRITEUP

Froxlor < 2.0.10 - Code Injection

Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10.

CVSS 8.8

View Code

CVE-2023-0877 WRITEUP HIGH WRITEUP

Froxlor < 2.0.11 - Code Injection

Code Injection in GitHub repository froxlor/froxlor prior to 2.0.11.

CVSS 8.8

View Code

CVE-2023-1033 WRITEUP HIGH WRITEUP

Froxlor < 2.0.11 - CSRF

Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.11.

CVSS 8.8

View Code