CVE-2026-41228
Received Received - Intake
Path Traversal in Froxlor API Enables Remote Code Execution

Publication date: 2026-04-23

Last updated on: 2026-04-27

Assigner: GitHub, Inc.

Description
Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-23
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41228
EUVD
EUVD-2026-25176
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
froxlor froxlor to 2.3.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41228 is a critical vulnerability in Froxlor, an open source server administration software, affecting versions prior to 2.3.6. The issue exists in the Froxlor API endpoints `Customers.update` and `Admins.update`, which do not properly validate the `def_language` parameter against the list of available language files.

An authenticated customer can exploit this by setting the `def_language` parameter to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`). This malicious value is stored in the database and later used by the `Language::loadLanguage()` function to construct a file path that is included and executed via PHP's `require` function.

Because the parameter is not validated properly, this allows arbitrary PHP code execution as the web server user, effectively enabling remote code execution (RCE). The vulnerability is fixed in Froxlor version 2.3.6 by adding strict validation and security checks on the `def_language` parameter.

Impact Analysis

This vulnerability allows any authenticated customer to execute arbitrary PHP code on the server running Froxlor, with the privileges of the web server user.

  • Arbitrary PHP code execution leading to full server compromise.
  • Reading sensitive files such as database credentials.
  • Lateral movement to other customers' data hosted on the same server.
  • Establishing persistent backdoors by modifying source code or cron jobs.
  • Data exfiltration and unauthorized access to confidential information.

The attack is practical because customers typically have default FTP and API access, allowing them to upload malicious PHP files and then trigger their execution via the vulnerable API.

Detection Guidance

This vulnerability can be detected by checking if any authenticated customer or admin has set the `def_language` parameter to a suspicious path traversal string in the Froxlor database, specifically in the `panel_customers` or `panel_admins` tables.

You can query the database to find entries where `def_language` contains path traversal patterns such as '../'. For example, using SQL commands:

  • SELECT * FROM panel_customers WHERE def_language LIKE '%..%';
  • SELECT * FROM panel_admins WHERE def_language LIKE '%..%';

Additionally, monitoring API requests to the `Customers.update` and `Admins.update` endpoints for suspicious `def_language` parameter values containing path traversal sequences can help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade Froxlor to version 2.3.6 or later, where strict validation of the `def_language` parameter is enforced to prevent path traversal and arbitrary file inclusion.

If upgrading immediately is not possible, you should manually validate and sanitize the `def_language` values in your database to ensure they only contain legitimate language codes matching the available language files.

Also, restrict or monitor API access to prevent authenticated users from setting malicious `def_language` values.

The patch includes checks that reject any `def_language` values containing path traversal sequences or that do not match the basename of the language file, effectively preventing exploitation.

Compliance Impact

This vulnerability allows authenticated customers to execute arbitrary PHP code on the server, potentially leading to full server compromise.

Such a compromise can result in unauthorized access to sensitive data, including reading database credentials and other customers' data, which may violate data protection regulations like GDPR and HIPAA.

The ability to exfiltrate data or maintain persistent backdoors undermines confidentiality, integrity, and availability of data, which are core requirements of these standards.

Therefore, organizations using vulnerable versions of Froxlor may face compliance risks due to potential data breaches and failure to protect personal or sensitive information as mandated by regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41228. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart