Executive Summary
A critical PHP code injection vulnerability (CVE-2026-41229) has been disclosed in Froxlor, an open source server administration panel. The flaw resides in PhpHelper::parseArrayToString(), which serializes settings into PHP configuration files using single-quoted string literals — without escaping single quotes in user-supplied values.
CVSS Score: 9.1 (Critical)
An admin account holding the change_serversettings permission can add or update a MySQL server configuration via the API, supplying a string containing an unescaped single quote. The resulting PHP file contains injected arbitrary code that executes when the configuration is loaded. This constitutes a server-side code injection vulnerability leading to full remote code execution.
Froxlor 2.3.6 resolves this issue. All installations on prior versions should be patched immediately, especially those with multiple admin accounts or shared admin access.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-41229 |
| CVSS Score | 9.1 (Critical) |
| Type | PHP Code Injection |
| Attack Vector | Network |
| Privileges Required | High (admin with change_serversettings permission) |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Patch Available | Yes — upgrade to Froxlor 2.3.6 |
Affected Products
| Product | Affected Versions | Remediation |
|---|---|---|
| Froxlor Server Administration | All versions prior to 2.3.6 | Upgrade to 2.3.6 immediately |
Technical Analysis
Root Cause
The vulnerability originates in PhpHelper::parseArrayToString(), a utility function that converts PHP arrays into serialized PHP configuration file syntax. The function wraps string values in single-quoted literals:
// Vulnerable code pattern (simplified)
$output .= "'" . $value . "'"; // $value is not escapedWhen an admin submits a MySQL server hostname, username, or password containing a single quote ('), the unescaped character breaks out of the string literal in the generated PHP file. Arbitrary PHP code appended after the quote is then embedded directly into the configuration file and executes when the configuration is included.
Attack Flow
1. Attacker obtains admin credentials with change_serversettings permission
2. Attacker calls the MySQL server add/update API endpoint
3. Attacker supplies a crafted string value: ' . system($_GET['cmd']) . '
4. PhpHelper::parseArrayToString() writes the value unescaped into a PHP config file
5. The generated config file now contains injected PHP code
6. Next time Froxlor loads the configuration, the injected code executes
7. Attacker achieves full code execution on the serverGenerated Malicious PHP Example
// Config file generated by Froxlor after malicious input
$db_host = '' . system($_GET['cmd']) . '';
$db_user = 'froxlor';
// ...When this file is included by the Froxlor application, system($_GET['cmd']) is executed — giving the attacker OS command execution via a simple GET parameter.
Why This Is Dangerous
Although this vulnerability requires an admin account with change_serversettings permission, this is a realistic attack scenario in several situations:
- Compromised admin account — credential theft, phishing, or credential stuffing against a Froxlor panel gives the attacker this capability
- Shared admin environments — ISPs and hosting providers often grant
change_serversettingsto secondary admin accounts for infrastructure management - Insider threat — a disgruntled or compromised admin can weaponize this flaw to escalate from admin to OS-level access
- Privilege escalation chain — CVE-2026-41228 (path traversal) may provide a path to obtain admin credentials, which then enables this injection
Impact Assessment
| Impact Area | Description |
|---|---|
| Code Execution | Arbitrary PHP and OS commands execute under the web server user |
| Full Server Compromise | Web server user context typically allows reading all hosted files |
| Persistence | Injected code persists in config files until the configuration is overwritten |
| Credential Theft | All database passwords, API keys, and hosting credentials accessible |
| Multi-Tenant Impact | All tenants on a shared Froxlor installation are affected |
Immediate Remediation
Step 1: Upgrade Froxlor to 2.3.6
# Check current Froxlor version
cat /var/www/froxlor/VERSION
# Update via apt (Debian/Ubuntu)
apt update && apt upgrade froxlor
# Or pull the latest release from GitHub
# https://github.com/Froxlor/Froxlor/releases/tag/2.3.6Step 2: Audit Generated PHP Configuration Files
After patching, inspect existing PHP configuration files generated by Froxlor for signs of injection:
# Look for injected code patterns in Froxlor-generated config files
grep -rn "system\|exec\|passthru\|shell_exec\|eval" /etc/froxlor/
grep -rn "system\|exec\|passthru\|shell_exec\|eval" /var/www/froxlor/lib/config-serialized.phpStep 3: Restrict Admin Account Permissions
# Review which admin accounts have change_serversettings permission
# In Froxlor admin panel: Admin > Admins > Review permissions per account
# Remove change_serversettings from any accounts that do not strictly require itStep 4: Rotate All Credentials
If exploitation is suspected or unclean config files are found, rotate all credentials:
- Froxlor database passwords
- MySQL server credentials configured in Froxlor
- Web hosting account credentials
- Any API keys stored in Froxlor configuration
Detection Indicators
| Indicator | Description |
|---|---|
| PHP function keywords in Froxlor config files | Injected code in configuration |
| Unexpected process spawning from web server user | PHP code execution via injected config |
| Database config files with anomalous string values | Injection artifacts remaining post-exploit |
| Admin audit logs showing MySQL server updates with unusual hostnames | Attack activity |
| Web server error logs with config include errors | Failed injection attempts |
Post-Remediation Checklist
- Upgrade to Froxlor 2.3.6 immediately
- Inspect all generated PHP config files for injection artifacts
- Replace any malicious configuration files with clean versions
- Audit admin account permissions — minimize accounts with
change_serversettings - Enable MFA for all Froxlor admin accounts
- Rotate all credentials accessible from the server
- Review web server process logs for unusual command execution