Executive Summary
A critical path traversal vulnerability (CVE-2026-41228) has been disclosed in Froxlor, a widely used open source server administration panel. The flaw exists in the Customers.update (and Admins.update) API endpoints, which fail to validate the def_language parameter against the list of available language files on disk.
CVSS Score: 9.9 (Critical)
An authenticated customer — with only standard low-privilege access — can set def_language to a path traversal payload, effectively pointing the application to arbitrary files on the server's filesystem. This can lead to local file inclusion (LFI) and, under common Froxlor deployment configurations, escalate to remote code execution (RCE).
Froxlor version 2.3.6 resolves this vulnerability. All installations running prior versions should be updated immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-41228 |
| CVSS Score | 9.9 (Critical) |
| Type | Path Traversal / Local File Inclusion |
| Attack Vector | Network |
| Privileges Required | Low (authenticated customer) |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Patch Available | Yes — upgrade to Froxlor 2.3.6 |
Affected Products
| Product | Affected Versions | Remediation |
|---|---|---|
| Froxlor Server Administration | All versions prior to 2.3.6 | Upgrade to 2.3.6 immediately |
Technical Analysis
Root Cause
The vulnerability originates in Froxlor's account preference update logic. When a customer or admin updates their profile language via the API, the def_language parameter is passed to a function that loads and processes a language file. The application does not validate whether the supplied value corresponds to an actual language file in the language directory — it accepts arbitrary user-supplied strings.
By supplying a path traversal sequence such as ../../../../../../etc/passwd or a path pointing to attacker-controlled content, an authenticated user can cause Froxlor to process arbitrary files on the server.
Attack Flow
1. Attacker registers a Froxlor customer account (or compromises any existing account)
2. Attacker calls the Customers.update API endpoint
3. Attacker supplies a crafted def_language value: ../../../../etc/passwd (or similar)
4. Froxlor processes the parameter without validating it against available language files
5. The application reads or includes the target file
6. Depending on configuration, the attacker achieves LFI → PHP code execution
7. Full server compromise possible from a standard customer accountWhy This Is Dangerous
Froxlor is frequently deployed on shared hosting infrastructure and ISP panels, where a single installation manages many customers. A path traversal flaw at CVSS 9.9 in this context means:
- Any customer can attack the hosting server, regardless of their own hosting tier
- Credential theft —
/etc/passwd, application configs, database credentials are accessible - Code execution — traversal to log files or PHP-writable paths combined with log poisoning achieves RCE
- Multi-tenant impact — a single attacker compromises the shared hosting environment for all tenants
Impact Assessment
| Impact Area | Description |
|---|---|
| Filesystem Access | Arbitrary file reads via path traversal — /etc/shadow, SSH keys, SSL certs |
| Credential Exposure | Database passwords, Froxlor admin credentials, API keys from config files |
| Code Execution | Log poisoning or PHP-include chains convert LFI to RCE |
| Lateral Movement | Compromise of shared hosting panel enables access to all hosted accounts |
| Data Exfiltration | All tenant data, email, and databases reachable from the server |
Immediate Remediation
Step 1: Upgrade Froxlor to 2.3.6
# Check current Froxlor version
cat /var/www/froxlor/VERSION
# Update via apt (Debian/Ubuntu)
apt update && apt upgrade froxlor
# Or download the latest release manually
# https://github.com/Froxlor/Froxlor/releases/tag/2.3.6Step 2: Verify the Patch
After upgrade, confirm the def_language parameter is now validated against the known language list by reviewing Customer.php and Admin.php in the API layer.
Step 3: Review Access Logs for Exploitation
# Search Apache/Nginx logs for path traversal patterns in POST bodies
grep -i "\.\.\/" /var/log/nginx/access.log
grep -i "def_language" /var/log/froxlor/froxlor.logStep 4: Rotate Credentials
If exploitation is suspected, rotate all credentials accessible from the server:
- Froxlor admin password
- Database passwords for all hosted accounts
- Any API keys stored in Froxlor configuration files
- SSH keys accessible to the web server user
Detection Indicators
| Indicator | Description |
|---|---|
def_language values containing ../ sequences | Path traversal attempt in API requests |
| Unexpected file reads in server error logs | LFI attempts hitting non-existent paths |
| Froxlor error logs referencing unexpected file paths | Traversal resulting in file-not-found errors |
Web server processes reading /etc/passwd or SSH key paths | Successful LFI |
| New PHP files in Froxlor-writable directories | Post-exploitation webshell placement |
Post-Remediation Checklist
- Upgrade to Froxlor 2.3.6 on all installations
- Audit logs for
def_languagepath traversal attempts dating back 30+ days - Rotate all credentials if suspicious activity is found
- Review filesystem permissions — ensure the web server user cannot read sensitive system files
- Enable WAF rules blocking path traversal patterns on Froxlor API endpoints
- Notify tenants if evidence of exploitation exists — their data may be compromised