CVE-2026-41229Froxlor · Froxlor
Vulnerability data via NVD (ingested)
Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-41229product:"Froxlor Froxlor"http.html:"Froxlor"More intel sources (5)
vuln:CVE-2026-41229vulnerabilities.cve_id: CVE-2026-41229CVE-2026-41229CVE-2026-41229"CVE-2026-41229" exploit -site:nvd.nist.gov