Path Traversal Risk in Froxlor Server Administration Software
CVE-2026-41228

10CRITICAL

Key Information:

Vendor

Froxlor

Status
Froxlor
Vendor
CVE Published:
23 April 2026

What is CVE-2026-41228?

Froxlor, an open-source server administration tool, contains a vulnerability in its API endpoints that fails to validate user inputs for language settings. Before version 2.3.6, authenticated customers could manipulate the def_language parameter to perform path traversal attacks. This flaw allowed attackers to store malicious file paths in the database, leading to arbitrary PHP code execution on the web server. The vulnerability has been mitigated in version 2.3.6, which emphasizes the importance of updating to secure versions.

Affected Version(s)

froxlor < 2.3.6

References

https://github.com/froxlor/froxlor/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/froxlor/froxlor/commit/bc5e6dbaa90e6f3...
x_refsource_MISC
https://github.com/froxlor/froxlor/releases/tag/2.3.6
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.