Home / Vulnerability Intelligence / CVE-2026-26279

CVE-2026-26279 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 4, 2026

Froxlor - Command Injection

Published: March 3, 2026Updated: March 4, 2026Remote Exploitable

Overview

Froxlor < 2.3.4 contains a command injection caused by a typo in input validation disabling email format checking, letting authenticated admins achieve root-level remote code execution via shell command injection, exploit requires admin privileges.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 22.6%(Probability of exploitation in next 30 days)

Impact

Authenticated admins can execute arbitrary code as root, leading to full system compromise.

Mitigation

Update to version 2.3.4 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 4, 2026

🔴 CVE-2026-26279 - Critical (9.1) Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticat... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26279/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-26279
Severity: Critical
CVSS Score: 9.1
Type: command_injection
Status: unconfirmed
EPSS: 22.6%
Social Posts: 1

CWE

CWE-78

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score

22.6%Probability of exploitation in the next 30 days