CVE-2026-41228

Description

Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.

CVSS Metrics

• v3.1•CRITICAL•Score: 10CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Techniques & Countermeasures

• CWE-98•Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

  The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

Affected Systems

• froxlor•froxlor

  < 2.3.6

References (3)

• https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7
• https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c
• https://github.com/froxlor/froxlor/releases/tag/2.3.6