{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41228", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T03:47:03.134Z", "datePublished": "2026-04-23T03:41:47.479Z", "dateUpdated": "2026-04-23T14:48:07.640Z"}, "containers": {"cna": {"title": "Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to Remote Code Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "lang": "en", "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7"}, {"name": "https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c", "tags": ["x_refsource_MISC"], "url": "https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c"}, {"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"}], "affected": [{"vendor": "froxlor", "product": "froxlor", "versions": [{"version": "< 2.3.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T03:41:47.479Z"}, "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue."}], "source": {"advisory": "GHSA-w59f-67xm-rxx7", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T14:46:42.002368Z", "id": "CVE-2026-41228", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:48:07.640Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41228", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T03:47:03.134Z", "datePublished": "2026-04-23T03:41:47.479Z", "dateUpdated": "2026-04-23T14:48:07.640Z"}, "containers": {"cna": {"title": "Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to Remote Code Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "lang": "en", "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7"}, {"name": "https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c", "tags": ["x_refsource_MISC"], "url": "https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c"}, {"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"}], "affected": [{"vendor": "froxlor", "product": "froxlor", "versions": [{"version": "< 2.3.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T03:41:47.479Z"}, "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue."}], "source": {"advisory": "GHSA-w59f-67xm-rxx7", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41228", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T14:46:42.002368Z"}}}], "references": [{"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:47:03.748Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A9C896A-1305-4134-850E-4B44962A6C0A", "versionEndExcluding": "2.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue."}], "id": "CVE-2026-41228", "lastModified": "2026-04-27T17:00:33.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-23T04:16:19.193", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.6)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "froxlor", "source": "cna", "vendor": "froxlor"}, "product": "froxlor", "vendor": "froxlor"}], "analysis": {"en": {"generated_at": "2026-04-28T07:40:54.970761+00:00", "value": {"mitigation_remediation": ["Upgrade Froxlor to version 2.3.6 or later to apply the official fix.", "If a direct upgrade is not immediately feasible, disable or remove the def_language parameter from the Customers.update and Admins.update API calls, for example by temporarily blocking those requests with a web application firewall or by adding custom code to reject any file paths containing traversal characters.", "Continuously monitor audit logs for changes to the def_language field and investigate any unexpected PHP files appearing in the web root, applying necessary patches or sanitization to mitigate any residual risk."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of Froxlor running a version older than 2.3.6 are vulnerable. The issue was addressed in release 2.3.6, so any deployment using a prior version must be considered at risk.", "description_and_impact": "The flaw lies in the Froxlor API endpoint Customers.update (and Admins.update) before version 2.3.6. The def_language parameter is not validated against the list of available language files, allowing an authenticated user to submit a path traversal payload that is saved to the database. When Language::loadLanguage() later builds a file path from this stored value and includes it with require, arbitrary PHP code is executed as the web server user, giving the attacker remote code execution capability.", "risk_and_exploitability": "The CVSS base score of 10 indicates catastrophic impact, while the EPSS score is less than 1%, pointing to a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated session to the API; once the malicious payload reaches the server, it can execute arbitrary PHP code as the web server account, potentially leading to full host compromise. Despite the low exploitation likelihood, the severity mandates prompt remediation."}}}}, "created": "2026-04-27T23:45:15.687796+00:00", "updated": "2026-04-28T07:45:26.037886+00:00", "vendors": ["froxlor", "froxlor$PRODUCT$froxlor"]}