{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41233", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T03:47:03.134Z", "datePublished": "2026-04-23T04:00:19.011Z", "dateUpdated": "2026-04-23T12:26:22.883Z"}, "containers": {"cna": {"title": "Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4"}, {"name": "https://github.com/froxlor/froxlor/commit/bf47ba15329506e9f9662f9462463932aa80dff5", "tags": ["x_refsource_MISC"], "url": "https://github.com/froxlor/froxlor/commit/bf47ba15329506e9f9662f9462463932aa80dff5"}, {"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"}], "affected": [{"vendor": "froxlor", "product": "froxlor", "versions": [{"version": "< 2.3.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T04:00:19.011Z"}, "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin's `domains_used` counter is incremented) and potentially exhausting another admin's quota. Version 2.3.6 fixes the issue."}], "source": {"advisory": "GHSA-jvx4-xv3m-hrj4", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T12:26:17.190754Z", "id": "CVE-2026-41233", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T12:26:22.883Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41233", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T12:26:17.190754Z"}}}], "references": [{"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T12:26:07.267Z"}}], "cna": {"title": "Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()", "source": {"advisory": "GHSA-jvx4-xv3m-hrj4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "froxlor", "product": "froxlor", "versions": [{"status": "affected", "version": "< 2.3.6"}]}], "references": [{"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4", "name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/froxlor/froxlor/commit/bf47ba15329506e9f9662f9462463932aa80dff5", "name": "https://github.com/froxlor/froxlor/commit/bf47ba15329506e9f9662f9462463932aa80dff5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6", "name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin's `domains_used` counter is incremented) and potentially exhausting another admin's quota. Version 2.3.6 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T04:00:19.011Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41233", "state": "PUBLISHED", "dateUpdated": "2026-04-23T12:26:22.883Z", "dateReserved": "2026-04-18T03:47:03.134Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-23T04:00:19.011Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A9C896A-1305-4134-850E-4B44962A6C0A", "versionEndExcluding": "2.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin's `domains_used` counter is incremented) and potentially exhausting another admin's quota. Version 2.3.6 fixes the issue."}], "id": "CVE-2026-41233", "lastModified": "2026-04-27T16:59:16.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-23T05:16:05.477", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/froxlor/froxlor/commit/bf47ba15329506e9f9662f9462463932aa80dff5"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.6)"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "froxlor", "source": "cna", "vendor": "froxlor"}, "product": "froxlor", "vendor": "froxlor"}], "analysis": {"en": {"generated_at": "2026-04-28T14:59:30.555129+00:00", "value": {"mitigation_remediation": ["Upgrade Froxlor to version 2.3.6 or later, which validates the adminid parameter and prevents the quota bypass. ", "Review the customers_see_all permission settings for resellers and adjust as necessary to ensure correct visibility of customer accounts. ", "Enable logging of domain creation requests and monitor logs for adminid values that do not match the logged-in reseller to detect exploitation attempts."], "summary": {"action": "Immediate Upgrade", "impact": "Resource Exhaustion via Domain Quota Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Froxlor server administration software, specifically all releases prior to version 2.3.6. Users running Froxlor 2.3.5 or earlier, regardless of operating system, are susceptible because the flaw resides in the core domain\u2011management code. Version 2.3.6 and later contain the necessary validation to prevent the abuse.", "description_and_impact": "The flaw in the Froxlor web\u2011interface occurs in the Domains.add() routine where the adminid parameter is accepted from user input without validation if the calling reseller does not have the customers_see_all permission. A reseller can therefore assign newly created domains to any other administrator, causing the domain counter of that unrelated admin to increment while the reseller\u2019s own quota remains unchanged. This allows a reseller to exhaust another administrator\u2019s domain quota, potentially locking that user out of adding new domains. The issue is a classic example of improper authorization characterized by CWE\u2011863.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a medium severity. The EPSS score of less than 1% suggests a low likelihood of public exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker must possess reseller\u2011level access to the management interface, but otherwise needs no special conditions; the attack can be performed by simply submitting a domain\u2011creation request with a crafted adminid. The impact is limited to evading the intended resource quotas rather than achieving code execution or broader system compromise."}}}}, "created": "2026-04-27T23:45:15.684446+00:00", "updated": "2026-04-28T15:00:14.544893+00:00", "vendors": ["froxlor", "froxlor$PRODUCT$froxlor"]}