Description
Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.
Published: 2026-04-23
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The flaw lies in the Froxlor API endpoint Customers.update (and Admins.update) before version 2.3.6. The def_language parameter is not validated against the list of available language files, allowing an authenticated user to submit a path traversal payload that is saved to the database. When Language::loadLanguage() later builds a file path from this stored value and includes it with require, arbitrary PHP code is executed as the web server user, giving the attacker remote code execution capability.

Affected Systems

All installations of Froxlor running a version older than 2.3.6 are vulnerable. The issue was addressed in release 2.3.6, so any deployment using a prior version must be considered at risk.

Risk and Exploitability

The CVSS base score of 10 indicates catastrophic impact, while the EPSS score is less than 1%, pointing to a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated session to the API; once the malicious payload reaches the server, it can execute arbitrary PHP code as the web server account, potentially leading to full host compromise. Despite the low exploitation likelihood, the severity mandates prompt remediation.

Generated by OpenCVE AI on April 28, 2026 at 07:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Froxlor to version 2.3.6 or later to apply the official fix.
  • If a direct upgrade is not immediately feasible, disable or remove the def_language parameter from the Customers.update and Admins.update API calls, for example by temporarily blocking those requests with a web application firewall or by adding custom code to reject any file paths containing traversal characters.
  • Continuously monitor audit logs for changes to the def_language field and investigate any unexpected PHP files appearing in the web root, applying necessary patches or sanitization to mitigate any residual risk.

Generated by OpenCVE AI on April 28, 2026 at 07:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w59f-67xm-rxx7 Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution
History

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Froxlor
Froxlor froxlor
CPEs cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*
Vendors & Products Froxlor
Froxlor froxlor

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.
Title Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to Remote Code Execution
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Froxlor Froxlor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T14:48:07.640Z

Reserved: 2026-04-18T03:47:03.134Z

Link: CVE-2026-41228

cve-icon Vulnrichment

Updated: 2026-04-23T14:47:03.748Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T04:16:19.193

Modified: 2026-04-27T17:00:33.587

Link: CVE-2026-41228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:45:26Z

Weaknesses