CVE-2026-26279
Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th
Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.
| CWE | CWE-78 CWE-482 |
| Vendor | froxlor |
| Product | froxlor |
| Published | Mar 3, 2026 |
| Last Updated | Mar 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for froxlor froxlor
Be the first to know when new critical vulnerabilities affecting froxlor froxlor are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
froxlor / Froxlor
< 2.3.4