Compliance Impact

The vulnerability allows an attacker with admin privileges to inject arbitrary PHP code that executes as the web server user, leading to full server compromise. This includes potential data exfiltration of customer data, database credentials, and TLS keys, as well as persistent backdoors and lateral movement across databases.

Such a compromise can severely impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring confidentiality, integrity, and availability. Unauthorized access and data breaches resulting from this vulnerability could lead to violations of these regulations, resulting in legal and financial consequences.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-41229 is a critical PHP code injection vulnerability in Froxlor server administration software versions prior to 2.3.6. The vulnerability occurs because the function PhpHelper::parseArrayToString() writes string values into single-quoted PHP string literals without properly escaping single quotes. Specifically, when an admin with change_serversettings permission adds or updates a MySQL server via the API, the privileged_user parameter is accepted without input validation and is written unescaped into the userdata.inc.php file.

Since userdata.inc.php is included on every request through Database::getDB(), an attacker who can control privileged_user can inject arbitrary PHP code that executes as the web server user on every subsequent page load. This allows for remote code execution with the privileges of the web server user.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with admin privileges (specifically change_serversettings permission) to execute arbitrary PHP code on the server as the web server user. This can lead to full server compromise.

• Execution of arbitrary OS commands as the web server user.
• Data exfiltration including customer data, database credentials, and TLS keys.
• Lateral movement across MySQL databases.
• Persistent backdoors since the injected code executes on every request.
• Potential denial of service if malformed PHP code breaks the Froxlor panel.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if the Froxlor installation is running a vulnerable version prior to 2.3.6 and if the `lib/userdata.inc.php` file contains unescaped user input, particularly in the `privileged_user` parameter.

One approach is to inspect the `lib/userdata.inc.php` file for suspicious PHP code injections or unescaped single quotes that could indicate exploitation.

You can also verify the Froxlor version installed by running a command to check the version, for example:

• grep -i version /path/to/froxlor/VERSION or check the version via the Froxlor web interface.

To detect potential code injection, you might search for suspicious PHP code patterns in the userdata.inc.php file with commands like:

• grep -P "\$\{.*\}" lib/userdata.inc.php
• grep -E "system\(|exec\(|shell_exec\(|passthru\(" lib/userdata.inc.php

Additionally, monitoring web server logs for unusual requests from admins with `change_serversettings` permission or unexpected API calls to add or update MySQL servers could help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation is to upgrade Froxlor to version 2.3.6 or later, which contains the patch addressing this vulnerability.

If upgrading immediately is not possible, restrict or disable admin accounts with `change_serversettings` permission from adding or updating MySQL servers via the API to prevent exploitation.

Apply input validation and escaping for the `privileged_user` and `mysql_ca` parameters to prevent injection of arbitrary PHP code.

Review and harden API access controls to ensure only trusted administrators can perform sensitive operations.

Monitor the `lib/userdata.inc.php` file for unauthorized changes and consider implementing file integrity monitoring.

Useful 0 Not Useful 0