CVE-2026-26279
Published: 03 March 2026
Summary
CVE-2026-26279 is a critical-severity OS Command Injection (CWE-78) vulnerability in Froxlor Froxlor. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 24.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces validation of email-type inputs like panel.adminmail to prevent storage of arbitrary strings containing command injection payloads such as the whitelisted pipe character.
Requires timely remediation of the specific software flaw—a validation typo using == instead of =—through patching to Froxlor version 2.3.4.
Limits the server administration software to least functionality by prohibiting or restricting root cron jobs that concatenate untrusted configuration data into shell commands.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation for privilege escalation (T1068) from authenticated admin to root RCE via command injection (T1059.004 Unix Shell) in a root cron job on a remote service (T1210).
NVD Description
Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to…
more
store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.
Deeper analysisAI
CVE-2026-26279 is a critical vulnerability in Froxlor, an open source server administration software. Prior to version 2.3.4, a typo in the input validation code—using == instead of =—completely disables email format checking for all settings fields declared as email type. This flaw allows arbitrary strings to be stored in the panel.adminmail setting, which is later concatenated into a shell command executed as root by a cron job. The pipe character | is explicitly whitelisted in this command, enabling command injection. The vulnerability is associated with CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-482 (Comparing instead of Assigning), and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
An authenticated administrator can exploit this vulnerability remotely with low complexity. By supplying a malicious string containing a whitelisted pipe character to the panel.adminmail field, the attacker injects arbitrary commands into the root-executed cron job shell command. Successful exploitation results in full root-level remote code execution on the server.
The Froxlor security advisory (GHSA-33mp-8p67-xj7c) details the issue and confirms it is fixed in version 2.3.4. The patching commit (22249677107f8f39f8d4a238605641e87dab4343) corrects the validation typo, and administrators are directed to upgrade to the 2.3.4 release for mitigation.
Details
- CWE(s)