CVE-2026-26279

Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/froxlor/Froxlor/security/advisories/GHSA-33mp-8p67-xj7c	Exploit Mitigation Vendor Advisory
https://github.com/froxlor/froxlor/commit/22249677107f8f39f8d4a238605641e87dab4343	Patch
https://github.com/froxlor/froxlor/releases/tag/2.3.4	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-03 23:15

Updated : 2026-03-05 21:19

NVD link : CVE-2026-26279

Mitre link : CVE-2026-26279

CVE.ORG link : CVE-2026-26279

JSON object : View

Products Affected

froxlor

froxlor

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-482

Comparing instead of Assigning

{"id": "CVE-2026-26279", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2026-03-03T23:15:55.223", "references": [{"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-33mp-8p67-xj7c", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/froxlor/froxlor/commit/22249677107f8f39f8d4a238605641e87dab4343", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.4", "tags": ["Release Notes"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-482"}]}], "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4."}, {"lang": "es", "value": "Froxlor es software de administraci\u00f3n de servidor de c\u00f3digo abierto. Antes de la versi\u00f3n 2.3.4, un error tipogr\u00e1fico en el c\u00f3digo de validaci\u00f3n de entrada de Froxlor (== en lugar de =) deshabilita completamente la verificaci\u00f3n del formato de correo electr\u00f3nico para todos los campos de configuraci\u00f3n declarados como tipo de correo electr\u00f3nico. Esto permite a un administrador autenticado almacenar cadenas arbitrarias en la configuraci\u00f3n panel.adminmail. Este valor se concatena posteriormente en un comando de shell ejecutado como root por una tarea cron, donde el car\u00e1cter de tuber\u00eda | est\u00e1 expl\u00edcitamente en la lista blanca. El resultado es una ejecuci\u00f3n remota de c\u00f3digo completa a nivel de root. Esta vulnerabilidad se corrige en la versi\u00f3n 2.3.4."}], "lastModified": "2026-03-05T21:19:02.577", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "49CEB95F-CF4B-45DB-A6A7-B6CE5E1F9961", "versionEndExcluding": "2.3.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}