Froxlor RCE via path traversal (CVE-2026-41228)

Patch now - CVE-2026-41228 is a critical RCE vulnerability in Froxlor prior to 2.3.6 that grants authenticated attackers remote code execution as the web server user via path traversal in the def_language parameter. Upgrade to version 2.3.6 immediately.

Overview

A critical vulnerability in the Froxlor server administration software allows authenticated users to execute arbitrary code on the host system. The flaw is present in versions prior to 2.3.6 and has been assigned a maximum CVSS score of 9.9.

Vulnerability Details

The vulnerability exists in the API endpoints Customers.update and Admins.update. These endpoints fail to properly validate the def_language parameter submitted by a user. An attacker with a standard customer account can submit a path traversal string (like ../../../../../var/customers/webs/customer1/evil) as the preferred language.

This malicious path is stored in the database. Later, when the Froxlor application loads the user’s language preference via the Language::loadLanguage() function, it uses the tainted value to construct a file path. The application then executes this file using a PHP require statement. Because the attacker controls the full file path, they can force the server to include and run a malicious PHP file they have uploaded elsewhere, leading to remote code execution (RCE) under the web server’s user account.

Impact

Successful exploitation grants an attacker the ability to run any PHP code on the Froxlor server with the permissions of the web service account. This can lead to a complete compromise of the server, including data theft, installation of backdoors, and lateral movement within the network. The attack requires only a low-privilege authenticated session and no user interaction, making it highly accessible to attackers who have obtained or created a customer account.

Remediation and Mitigation

The primary and definitive solution is to upgrade Froxlor to version 2.3.6 or later. This version introduces proper validation for the def_language parameter, restricting it to the list of available, safe language files.

Immediate Actions:

1. Patch: Update all Froxlor installations to version 2.3.6 without delay.
2. Audit: Review server logs for suspicious API calls to the Customers.update or Admins.update endpoints containing unusual path strings.
3. Principle of Least Privilege: Ensure customer accounts are only granted the minimum necessary permissions, though this is a mitigation, not a fix, as the exploit works with standard customer privileges.

For organizations managing internet-facing servers, staying informed about such vulnerabilities is critical. You can track major incidents through our security news feed.

Security Insight

This vulnerability is a stark example of how a single missing validation check in a non-critical feature (language selection) can create a catastrophic security breach. It mirrors past incidents in other web applications where user-controlled paths were trusted for file inclusion. The pattern underscores the necessity of implementing strict allow-list validation for any parameter that influences file system operations, regardless of how innocuous the parameter seems.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs