<0.1% probability · 22.2th percentile — 2026-05-12
Affected versions
Froxlor open source server administration software prior to 2.3.6
Summary
Froxlor's customer and admin update API endpoints fail to validate the `def_language` parameter against available language files. An authenticated attacker can inject a path traversal payload that is stored in the database and later executed via PHP require, leading to arbitrary code execution as the web server user. Version 2.3.6 fixes the input validation issue.
Remediation
Upgrade Froxlor to the patched version 2.3.6 immediately. Review user access permissions to remove any untrusted authenticated accounts if patching is delayed.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.