CVE-2026-41229
Published: 23 April 2026
Summary
CVE-2026-41229 is a critical-severity Code Injection (CWE-94) vulnerability in Froxlor Froxlor. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of input validation for the privileged_user parameter, preventing injection of malicious PHP code via unescaped single quotes.
Mandates timely flaw remediation by applying patches like Froxlor version 2.3.6, which fixes the escaping issue in PhpHelper::parseArrayToString().
Restricts access to privileged configuration change functions like the change_serversettings API endpoint, limiting exploitation to only authorized roles.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a PHP code injection flaw in a public-facing web administration application that can be exploited over the network by an authenticated user to achieve remote code execution.
NVD Description
Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the…
more
`privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch.
Deeper analysisAI
CVE-2026-41229 is a PHP code injection vulnerability (CWE-94) in Froxlor, an open source server administration software. Prior to version 2.3.6, the PhpHelper::parseArrayToString() function writes string values into single-quoted PHP string literals without escaping single quotes. This issue affects the handling of the privileged_user parameter, which lacks input validation, when written to lib/userdata.inc.php.
An authenticated administrator with the change_serversettings permission can exploit this vulnerability over the network by adding or updating a MySQL server configuration via the API. By supplying a malicious privileged_user value containing unescaped single quotes, the attacker injects arbitrary PHP code into lib/userdata.inc.php, which is required on every request through Database::getDB(). The injected code executes as the web server user on every subsequent page load, achieving remote code execution with high confidentiality, integrity, and availability impacts (CVSS 9.1: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Froxlor version 2.3.6 patches this vulnerability by addressing the escaping issue in PhpHelper::parseArrayToString(). Security practitioners should upgrade to this version, as detailed in the GitHub security advisory (GHSA-gc9w-cc93-rjv8), release notes, and the fixing commit.
Details
- CWE(s)