Improper Input Validation in Froxlor's Domain Management Feature
CVE-2026-41233

5.4MEDIUM

Key Information:

Vendor

Froxlor

Status
Froxlor
Vendor
CVE Published:
23 April 2026

What is CVE-2026-41233?

Froxlor, an open-source server administration platform, contains a vulnerability in its 'Domains.add()' function. The issue arises when the 'adminid' parameter is taken from user input without proper validation, particularly when resellers lack the 'customers_see_all' permission. This exploitation allows a reseller to allocate newly created domains to any admin, subverting their personal domain quota and potentially exhausting another admin's resources. This vulnerability was effectively addressed in version 2.3.6.

Affected Version(s)

froxlor < 2.3.6

References

https://github.com/froxlor/froxlor/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/froxlor/froxlor/commit/bf47ba15329506e...
x_refsource_MISC
https://github.com/froxlor/froxlor/releases/tag/2.3.6
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.