CVE-2026-41229
PHP Code Injection in Froxlor via Unescaped MySQL Server Settings
Publication date: 2026-04-23
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| froxlor | froxlor | to 2.3.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker with admin privileges to inject arbitrary PHP code that executes as the web server user, leading to full server compromise. This includes potential data exfiltration of customer data, database credentials, and TLS keys, as well as persistent backdoors and lateral movement across databases.
Such a compromise can severely impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring confidentiality, integrity, and availability. Unauthorized access and data breaches resulting from this vulnerability could lead to violations of these regulations, resulting in legal and financial consequences.
Can you explain this vulnerability to me?
CVE-2026-41229 is a critical PHP code injection vulnerability in Froxlor server administration software versions prior to 2.3.6. The vulnerability occurs because the function PhpHelper::parseArrayToString() writes string values into single-quoted PHP string literals without properly escaping single quotes. Specifically, when an admin with change_serversettings permission adds or updates a MySQL server via the API, the privileged_user parameter is accepted without input validation and is written unescaped into the userdata.inc.php file.
Since userdata.inc.php is included on every request through Database::getDB(), an attacker who can control privileged_user can inject arbitrary PHP code that executes as the web server user on every subsequent page load. This allows for remote code execution with the privileges of the web server user.
How can this vulnerability impact me? :
This vulnerability allows an attacker with admin privileges (specifically change_serversettings permission) to execute arbitrary PHP code on the server as the web server user. This can lead to full server compromise.
- Execution of arbitrary OS commands as the web server user.
- Data exfiltration including customer data, database credentials, and TLS keys.
- Lateral movement across MySQL databases.
- Persistent backdoors since the injected code executes on every request.
- Potential denial of service if malformed PHP code breaks the Froxlor panel.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the Froxlor installation is running a vulnerable version prior to 2.3.6 and if the `lib/userdata.inc.php` file contains unescaped user input, particularly in the `privileged_user` parameter.
One approach is to inspect the `lib/userdata.inc.php` file for suspicious PHP code injections or unescaped single quotes that could indicate exploitation.
You can also verify the Froxlor version installed by running a command to check the version, for example:
- grep -i version /path/to/froxlor/VERSION or check the version via the Froxlor web interface.
To detect potential code injection, you might search for suspicious PHP code patterns in the userdata.inc.php file with commands like:
- grep -P "\$\{.*\}" lib/userdata.inc.php
- grep -E "system\(|exec\(|shell_exec\(|passthru\(" lib/userdata.inc.php
Additionally, monitoring web server logs for unusual requests from admins with `change_serversettings` permission or unexpected API calls to add or update MySQL servers could help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade Froxlor to version 2.3.6 or later, which contains the patch addressing this vulnerability.
If upgrading immediately is not possible, restrict or disable admin accounts with `change_serversettings` permission from adding or updating MySQL servers via the API to prevent exploitation.
Apply input validation and escaping for the `privileged_user` and `mysql_ca` parameters to prevent injection of arbitrary PHP code.
Review and harden API access controls to ensure only trusted administrators can perform sensitive operations.
Monitor the `lib/userdata.inc.php` file for unauthorized changes and consider implementing file integrity monitoring.