216.73.216.133

CVE-2026-26279

· Published 03/03/2026 23:15 · Modified 04/03/2026 18:08

Labels: CVE-2026-26279 2026-03-03CVE-2026-26279CWE-78[email protected]

Essential information

Published
03/03/2026 23:15
Modified
04/03/2026 18:08
Author
Creator
CVSS
9.1 CRITICAL (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS metrics

Description

Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
froxlor / froxlor cpe:2.3:a:froxlor:froxlor:<2.3.4:*:*:*:*:*:*:*

References