{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41229", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T03:47:03.134Z", "datePublished": "2026-04-23T03:44:25.617Z", "dateUpdated": "2026-04-23T12:31:15.671Z"}, "containers": {"cna": {"title": "Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8"}, {"name": "https://github.com/froxlor/froxlor/commit/3589ddf93ab59eb2a8971f0f56cbf6266d03c4ae", "tags": ["x_refsource_MISC"], "url": "https://github.com/froxlor/froxlor/commit/3589ddf93ab59eb2a8971f0f56cbf6266d03c4ae"}, {"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"}], "affected": [{"vendor": "froxlor", "product": "froxlor", "versions": [{"version": "< 2.3.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T03:44:25.617Z"}, "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch."}], "source": {"advisory": "GHSA-gc9w-cc93-rjv8", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T12:31:11.971510Z", "id": "CVE-2026-41229", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T12:31:15.671Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41229", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T12:31:11.971510Z"}}}], "references": [{"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T12:31:06.759Z"}}], "cna": {"title": "Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)", "source": {"advisory": "GHSA-gc9w-cc93-rjv8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "froxlor", "product": "froxlor", "versions": [{"status": "affected", "version": "< 2.3.6"}]}], "references": [{"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8", "name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/froxlor/froxlor/commit/3589ddf93ab59eb2a8971f0f56cbf6266d03c4ae", "name": "https://github.com/froxlor/froxlor/commit/3589ddf93ab59eb2a8971f0f56cbf6266d03c4ae", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6", "name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T03:44:25.617Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41229", "state": "PUBLISHED", "dateUpdated": "2026-04-23T12:31:15.671Z", "dateReserved": "2026-04-18T03:47:03.134Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-23T03:44:25.617Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A9C896A-1305-4134-850E-4B44962A6C0A", "versionEndExcluding": "2.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load. Version 2.3.6 contains a patch."}], "id": "CVE-2026-41229", "lastModified": "2026-04-27T17:00:51.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-23T04:16:19.563", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/froxlor/froxlor/commit/3589ddf93ab59eb2a8971f0f56cbf6266d03c4ae"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-gc9w-cc93-rjv8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.6)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "froxlor", "source": "cna", "vendor": "froxlor"}, "product": "froxlor", "vendor": "froxlor"}], "analysis": {"en": {"generated_at": "2026-04-28T07:40:19.359719+00:00", "value": {"mitigation_remediation": ["Upgrade Froxlor to version 2.3.6 or newer, which applies the necessary escaping fix", "If immediate upgrade is not possible, limit the change_serversettings permission to a single, trusted account and monitor MySQL server changes performed via the API", "For a temporary measure, reduce or block API access to Froxlor until the patch is applied"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Froxlor, all releases earlier than 2.3.6 are affected. The vulnerability exists in every installation built before the 2.3.6 patch, regardless of deployment environment.", "description_and_impact": "The flaw is a PHP code injection caused by the system\u2019s failure to escape single quotes when converting array data to a string. An administrator with the change_serversettings privilege can add or modify a MySQL server via the API and supply a privileged_user value that is written directly into a PHP file. Because that file is loaded on every web request, the injected code runs as the web server user on each subsequent page load, giving full control over the system. The weakness is identified as CWE\u201194.", "risk_and_exploitability": "The CVSS score of 9.1 reflects a high severity Remote Code Execution scenario. The EPSS score of less than 1% suggests that real\u2011world exploitation is unlikely, and the vulnerability has not been catalogued by CISA as a known exploited vulnerability. Exploitation requires an attacker to be able to execute the Froxlor API as a user with change_serversettings permission; once that privilege is obtained, the attacker can inject PHP code that runs with every page request, offering complete compromise of the server. Given the wide reach of the injected code, the impact is system\u2011wide, affecting confidentiality, integrity, and availability."}}}}, "created": "2026-04-27T23:45:15.685781+00:00", "updated": "2026-04-28T07:45:26.037395+00:00", "vendors": ["froxlor", "froxlor$PRODUCT$froxlor"]}