Unescaped Input Vulnerability in Froxlor Server Administration Software
CVE-2026-41229
9.1CRITICAL
What is CVE-2026-41229?
Froxlor, an open-source server administration tool, contains a vulnerability that allows for arbitrary PHP code execution through unescaped input in MySQL server settings. An admin with the change_serversettings permission can unintentionally introduce malicious code via the privileged_user parameter, which lacks input validation. As this unvalidated input is written directly into a critical configuration file, it poses security risks on every web request. Version 2.3.6 includes a security patch to mitigate this risk.
Affected Version(s)
froxlor < 2.3.6