CVE-2026-41228
Path Traversal in Froxlor API Enables Remote Code Execution
Publication date: 2026-04-23
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| froxlor | froxlor | to 2.3.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated customers to execute arbitrary PHP code on the server, potentially leading to full server compromise.
Such a compromise can result in unauthorized access to sensitive data, including reading database credentials and other customers' data, which may violate data protection regulations like GDPR and HIPAA.
The ability to exfiltrate data or maintain persistent backdoors undermines confidentiality, integrity, and availability of data, which are core requirements of these standards.
Therefore, organizations using vulnerable versions of Froxlor may face compliance risks due to potential data breaches and failure to protect personal or sensitive information as mandated by regulations.
Can you explain this vulnerability to me?
CVE-2026-41228 is a critical vulnerability in Froxlor, an open source server administration software, affecting versions prior to 2.3.6. The issue exists in the Froxlor API endpoints `Customers.update` and `Admins.update`, which do not properly validate the `def_language` parameter against the list of available language files.
An authenticated customer can exploit this by setting the `def_language` parameter to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`). This malicious value is stored in the database and later used by the `Language::loadLanguage()` function to construct a file path that is included and executed via PHP's `require` function.
Because the parameter is not validated properly, this allows arbitrary PHP code execution as the web server user, effectively enabling remote code execution (RCE). The vulnerability is fixed in Froxlor version 2.3.6 by adding strict validation and security checks on the `def_language` parameter.
How can this vulnerability impact me? :
This vulnerability allows any authenticated customer to execute arbitrary PHP code on the server running Froxlor, with the privileges of the web server user.
- Arbitrary PHP code execution leading to full server compromise.
- Reading sensitive files such as database credentials.
- Lateral movement to other customers' data hosted on the same server.
- Establishing persistent backdoors by modifying source code or cron jobs.
- Data exfiltration and unauthorized access to confidential information.
The attack is practical because customers typically have default FTP and API access, allowing them to upload malicious PHP files and then trigger their execution via the vulnerable API.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if any authenticated customer or admin has set the `def_language` parameter to a suspicious path traversal string in the Froxlor database, specifically in the `panel_customers` or `panel_admins` tables.
You can query the database to find entries where `def_language` contains path traversal patterns such as '../'. For example, using SQL commands:
- SELECT * FROM panel_customers WHERE def_language LIKE '%..%';
- SELECT * FROM panel_admins WHERE def_language LIKE '%..%';
Additionally, monitoring API requests to the `Customers.update` and `Admins.update` endpoints for suspicious `def_language` parameter values containing path traversal sequences can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Froxlor to version 2.3.6 or later, where strict validation of the `def_language` parameter is enforced to prevent path traversal and arbitrary file inclusion.
If upgrading immediately is not possible, you should manually validate and sanitize the `def_language` values in your database to ensure they only contain legitimate language codes matching the available language files.
Also, restrict or monitor API access to prevent authenticated users from setting malicious `def_language` values.
The patch includes checks that reject any `def_language` values containing path traversal sequences or that do not match the basename of the language file, effectively preventing exploitation.