Description

Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch.

INFO

Published Date :

2026-04-23T03:44:25.617Z

Last Modified :

2026-04-23T12:31:15.671Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41229 vulnerability.

Vendors Products
Froxlor
  • Froxlor
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41229.

URL Resource
https://github.com/froxlor/froxlor/commit/3589ddf93ab59eb2a8971f0f56cbf6266d03c4ae cve-icon cve-icon
https://github.com/froxlor/froxlor/releases/tag/2.3.6 cve-icon cve-icon
https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact