Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-9t9n-1hhp-3yga
Vulnerability ID VCID-9t9n-1hhp-3yga
Aliases CVE-2026-41228
GHSA-w59f-67xm-rxx7
Summary Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2026-41228
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2026-41228
epss 0.00085 https://api.first.org/data/v1/epss?cve=CVE-2026-41228
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-w59f-67xm-rxx7
cvssv3.1 9.9 https://github.com/froxlor/froxlor
generic_textual CRITICAL https://github.com/froxlor/froxlor
cvssv3.1 10 https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c
cvssv3.1 9.9 https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c
generic_textual CRITICAL https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c
ssvc Track* https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c
cvssv3.1 10 https://github.com/froxlor/froxlor/releases/tag/2.3.6
cvssv3.1 9.9 https://github.com/froxlor/froxlor/releases/tag/2.3.6
generic_textual CRITICAL https://github.com/froxlor/froxlor/releases/tag/2.3.6
ssvc Track* https://github.com/froxlor/froxlor/releases/tag/2.3.6
cvssv3.1 10 https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7
cvssv3.1 9.9 https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7
cvssv3.1_qr CRITICAL https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7
generic_textual CRITICAL https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7
ssvc Track* https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7
cvssv3.1 9.9 https://nvd.nist.gov/vuln/detail/CVE-2026-41228
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2026-41228
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-41228
https://github.com/froxlor/froxlor
https://nvd.nist.gov/vuln/detail/CVE-2026-41228
2.3.6 https://github.com/froxlor/froxlor/releases/tag/2.3.6
bc5e6dbaa90e6f3573129da640595e8c770e1d0c https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c
GHSA-w59f-67xm-rxx7 https://github.com/advisories/GHSA-w59f-67xm-rxx7
GHSA-w59f-67xm-rxx7 https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/froxlor/froxlor
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-23T14:46:42Z/ Found at https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3573129da640595e8c770e1d0c
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/froxlor/froxlor/releases/tag/2.3.6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/froxlor/froxlor/releases/tag/2.3.6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-23T14:46:42Z/ Found at https://github.com/froxlor/froxlor/releases/tag/2.3.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-23T14:46:42Z/ Found at https://github.com/froxlor/froxlor/security/advisories/GHSA-w59f-67xm-rxx7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-41228
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.24712
EPSS Score 0.00085
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:51:15.319890+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/41xxx/CVE-2026-41228.json 38.6.0