froxlor 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk cross-site scripting、パス処理の欠陥、vendor risk csrf, and vendor risk input validation があり、vendor surface production workloads の利用場面で vendor impact session compromise、ファイル上書き, and vendor impact unexpected behavior などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-41233 | Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin's `domains_used` counter is incremented) and potentially exhausting another admin's quota. Version 2.3.6 fixes | [email protected] | 5.4 | 0.05% | 2026-04-23 | 2026-04-27 |
| CVE-2026-41232 | Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customer | [email protected] | 5.0 | 0.03% | 2026-04-23 | 2026-04-27 |
| CVE-2026-41231 | Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of | [email protected] | 7.5 | 0.07% | 2026-04-23 | 2026-04-27 |
| CVE-2026-41230 | Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into B | [email protected] | 8.5 | 0.05% | 2026-04-23 | 2026-04-27 |
| CVE-2026-41229 | Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker | [email protected] | 9.1 | 0.05% | 2026-04-23 | 2026-04-27 |
| CVE-2026-41228 | Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value a | [email protected] | 9.9 | 0.06% | 2026-04-23 | 2026-04-27 |
| CVE-2026-30932 | Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5. | [email protected] | 8.6 | 0.02% | 2026-03-24 | 2026-03-26 |
| CVE-2026-26279 | Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Exe | [email protected] | 9.1 | 0.86% | 2026-03-03 | 2026-03-05 |
| CVE-2025-48958 | Froxlor is open source server administration software. Prior to version 2.2.6, an HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and reputational damage by redirecting users to malicious external websites. The vulnerability has a medium severity, as it can be exploited through user input without authentication. Version 2.2.6 fixes the issue. | [email protected] | 5.5 | 0.17% | 2025-06-02 | 2025-06-25 |
| CVE-2025-29773 | Froxlor is open-source server administration software. A vulnerability in versions prior to 2.2.6 allows users (such as resellers or customers) to create accounts with the same email address as an existing account. This creates potential issues with account identification and security. This vulnerability can be exploited by authenticated users (e.g., reseller, customer) who can create accounts with the same email address that has already been used by another account, such as the admin. The attac | [email protected] | 5.8 | 0.07% | 2025-03-13 | 2025-04-03 |
| CVE-2023-50256 | Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue. | [email protected] | 7.5 | 0.06% | 2024-01-03 | 2024-11-21 |
| CVE-2023-6069 | Improper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0. | [email protected] | 9.9 | 0.25% | 2023-11-10 | 2024-11-21 |
| CVE-2023-4829 | Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22. | [email protected] | 5.4 | 0.07% | 2023-10-13 | 2024-11-21 |
| CVE-2023-5564 | Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1. | [email protected] | 4.8 | 0.05% | 2023-10-13 | 2024-11-21 |
| CVE-2023-4304 | Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.22,2.1.0. | [email protected] | 3.8 | 0.16% | 2023-08-11 | 2024-11-21 |
| CVE-2023-3668 | Improper Encoding or Escaping of Output in GitHub repository froxlor/froxlor prior to 2.0.21. | [email protected] | 7.2 | 0.07% | 2023-07-14 | 2024-11-21 |
| CVE-2023-3192 | Session Fixation in GitHub repository froxlor/froxlor prior to 2.1.0. | [email protected] | 5.4 | 0.15% | 2023-06-11 | 2024-11-21 |
| CVE-2023-3173 | Improper Restriction of Excessive Authentication Attempts in GitHub repository froxlor/froxlor prior to 2.0.20. | [email protected] | 9.8 | 0.10% | 2023-06-09 | 2024-11-21 |
| CVE-2023-3172 | Path Traversal in GitHub repository froxlor/froxlor prior to 2.0.20. | [email protected] | 7.2 | 0.26% | 2023-06-09 | 2024-11-21 |
| CVE-2023-2666 | Allocation of Resources Without Limits or Throttling in GitHub repository froxlor/froxlor prior to 2.0.16. | [email protected] | 7.5 | 0.23% | 2023-05-12 | 2024-11-21 |