CVE-2026-41228CRITICAL 9.9EPSS p40.2%

CVE-2026-41228CVE-2026-41228

Description

Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.

Scoring

CVSS 3.19.9 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS0.52% probability of exploitation · percentile 40.2% · 2026-06-19T12:03:05Z
Published2026-04-23
Last modified2026-04-27

Underlying weaknesses· 1

CWE-98

References

  1. https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c
  2. https://github.com/froxlor/froxlor/releases/tag/2.3.6
  3. https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7
  4. https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7

1

TypeTargetConfidenceTier
WeaknessImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')cwe-980%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41229
CVE
CVE-2026-26279
CVE
CVE-2026-41236
CVE
CVE-2026-41234
CVE
CVE-2026-41235
CVE
CVE-2026-30932
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.