CVE-2026-41228
Published: 23 April 2026
Summary
CVE-2026-41228 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Froxlor Froxlor. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of the def_language parameter against available language files, preventing path traversal payloads from being stored and executed.
Mandates timely flaw remediation by applying the Froxlor 2.3.6 patch that adds the missing input validation for API update endpoints.
Enforces restrictions on def_language inputs to only permitted language identifiers, blocking traversal strings like ../../evil before database storage.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in API parameter enables arbitrary PHP code execution via unsanitized file include in web app, directly facilitating exploitation of public-facing applications (T1190) and privilege escalation from low-priv authenticated accounts to full server compromise (T1068).
NVD Description
Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path…
more
traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.
Deeper analysisAI
CVE-2026-41228 is a high-severity vulnerability (CVSS 9.9) in Froxlor, an open-source server administration software. Prior to version 2.3.6, the API endpoints `Customers.update` and `Admins.update` fail to validate the `def_language` parameter against available language files, enabling path traversal. A malicious input like `../../../../../var/customers/webs/customer1/evil` is stored in the database without sanitization. Subsequent requests trigger `Language::loadLanguage()` to construct a file path from this value and execute it via `require`, resulting in arbitrary PHP code execution as the web server user. The issue is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program).
An authenticated customer with low privileges (PR:L) can exploit this remotely (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving scope change (S:C) for high confidentiality, integrity, and availability impact (C:I:A:H). By updating their `def_language` via the API, the attacker stores a traversal payload pointing to a malicious PHP file they control. When the language file is loaded on future requests—potentially by any user, including admins—the web server executes the attacker's code, allowing full server compromise under the web server's context.
Froxlor version 2.3.6 addresses the vulnerability by validating the `def_language` parameter against available language files. Security practitioners should upgrade immediately, as detailed in the GitHub security advisory (GHSA-w59f-67xm-rxx7), release notes for 2.3.6, and the fixing commit (bc5e6dbaa90e6f3573129da640595e8c770e1d0c). No workarounds are specified in the provided references.
Details
- CWE(s)