Description
Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch.
Published: 2026-04-23
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw is a PHP code injection caused by the system’s failure to escape single quotes when converting array data to a string. An administrator with the change_serversettings privilege can add or modify a MySQL server via the API and supply a privileged_user value that is written directly into a PHP file. Because that file is loaded on every web request, the injected code runs as the web server user on each subsequent page load, giving full control over the system. The weakness is identified as CWE‑94.

Affected Systems

Froxlor, all releases earlier than 2.3.6 are affected. The vulnerability exists in every installation built before the 2.3.6 patch, regardless of deployment environment.

Risk and Exploitability

The CVSS score of 9.1 reflects a high severity Remote Code Execution scenario. The EPSS score of less than 1% suggests that real‑world exploitation is unlikely, and the vulnerability has not been catalogued by CISA as a known exploited vulnerability. Exploitation requires an attacker to be able to execute the Froxlor API as a user with change_serversettings permission; once that privilege is obtained, the attacker can inject PHP code that runs with every page request, offering complete compromise of the server. Given the wide reach of the injected code, the impact is system‑wide, affecting confidentiality, integrity, and availability.

Generated by OpenCVE AI on April 28, 2026 at 07:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Froxlor to version 2.3.6 or newer, which applies the necessary escaping fix
  • If immediate upgrade is not possible, limit the change_serversettings permission to a single, trusted account and monitor MySQL server changes performed via the API
  • For a temporary measure, reduce or block API access to Froxlor until the patch is applied

Generated by OpenCVE AI on April 28, 2026 at 07:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gc9w-cc93-rjv8 Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)
History

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Froxlor
Froxlor froxlor
CPEs cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*
Vendors & Products Froxlor
Froxlor froxlor

Thu, 23 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch.
Title Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Froxlor Froxlor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T12:31:15.671Z

Reserved: 2026-04-18T03:47:03.134Z

Link: CVE-2026-41229

cve-icon Vulnrichment

Updated: 2026-04-23T12:31:06.759Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T04:16:19.563

Modified: 2026-04-27T17:00:51.763

Link: CVE-2026-41229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:45:26Z

Weaknesses