Froxlor unauthenticated PHP code injection (CVE-2026-41229)

Patch now - CVE-2026-41229 is a critical remote code execution in Froxlor versions prior to 2.3.6 that grants authenticated administrators persistent PHP code execution on the host system. Upgrade to version 2.3.6 immediately.

Overview

A critical vulnerability in the Froxlor server administration panel allows authenticated administrators to inject and execute arbitrary PHP code on the host system. Tracked as CVE-2026-41229 with a CVSS score of 9.1, this flaw stems from improper escaping of user input that is written directly into a core PHP configuration file.

Vulnerability Details

The vulnerability exists in the PhpHelper::parseArrayToString() function in versions of Froxlor prior to 2.3.6. When an administrator with the change_serversettings permission adds or updates a MySQL server via the web interface or API, the supplied privileged_user parameter is not validated or escaped. This input is then written directly into the lib/userdata.inc.php file without escaping single quotes.

Since this file is automatically included (required) on every page request to establish database connections, any injected PHP code will execute with the privileges of the web server user (e.g., www-data) every time any page is loaded.

Impact

An attacker who has compromised or gained control of an administrator account can achieve persistent remote code execution (RCE) on the Froxlor host. This allows them to:

• Execute arbitrary commands on the underlying operating system.
• Install malware, create backdoors, or pivot to other systems on the network.
• Steal, modify, or delete sensitive server configuration and customer data hosted on the server. The impact is severe as it provides a direct path to full server compromise from an authenticated admin session. For context on how such access can lead to data exposure, recent breach reports detail similar incidents.

Affected Versions and Remediation

All Froxlor versions before 2.3.6 are affected.

Primary Action: Patch Immediately The only complete remediation is to upgrade Froxlor to version 2.3.6 or later, which contains a patch that properly escapes the input. Apply this update as soon as possible.

Mitigation for Immediate Risk If immediate patching is not possible, restrict administrator account access strictly to necessary, trusted personnel. Review administrator accounts for any unauthorized activity or changes. However, these are temporary measures and do not address the root cause.

Security Insight

This vulnerability is a classic case of “second-order” injection, where tainted data is written to a file that is later executed as code. It highlights the persistent risk in administrative interfaces that generate configuration files, a pattern seen in past vulnerabilities in control panels like cPanel and Plesk. The high CVSS score, driven by the low attack complexity and critical impact, underscores that the most dangerous flaws often exist in the trusted management layer itself, where a single compromised credential can lead to total system control. Stay informed on similar threats by following our security news coverage.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs