Home / Vulnerability Intelligence / CVE-2026-41229

CVE-2026-41229 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 23, 2026

Froxlor - Remote Code Execution

Published: April 23, 2026Updated: April 23, 2026Remote Exploitable

Overview

Froxlor < 2.3.6 contains a code injection vulnerability caused by unescaped single quotes in PhpHelper::parseArrayToString() when writing the privileged_user parameter in lib/userdata.inc.php, letting attackers with change_serversettings permission execute arbitrary PHP code as the web server user, exploit requires admin privileges.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Attackers with admin privileges can execute arbitrary PHP code as the web server user, leading to full server compromise.

Mitigation

Update to version 2.3.6 or later.

References

https://github.com/froxlor/froxlor/commit/3589ddf93ab59eb2a8971f0f56cbf6266d03c4ae
https://github.com/froxlor/froxlor/releases/tag/2.3.6
https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-41229
Severity: Critical
CVSS Score: 9.1
Type: code_injection
Status: new

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H