汇总 froxlor 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
常见弱点模式包括 跨站脚本、路径处理缺陷、CSRF与输入验证问题,在 生产负载与软件部署 使用场景中可能带来 会话劫持、文件覆盖与异常行为 等风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2026-41233 | Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin's `domains_used` counter is incremented) and potentially exhausting another admin's quota. Version 2.3.6 fixes | [email protected] | 5.4 | 0.05% | 2026-04-23 | 2026-04-27 |
| CVE-2026-41232 | Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customer | [email protected] | 5.0 | 0.03% | 2026-04-23 | 2026-04-27 |
| CVE-2026-41231 | Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of | [email protected] | 7.5 | 0.07% | 2026-04-23 | 2026-04-27 |
| CVE-2026-41230 | Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into B | [email protected] | 8.5 | 0.05% | 2026-04-23 | 2026-04-27 |
| CVE-2026-41229 | Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker | [email protected] | 9.1 | 0.05% | 2026-04-23 | 2026-04-27 |
| CVE-2026-41228 | Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value a | [email protected] | 9.9 | 0.06% | 2026-04-23 | 2026-04-27 |
| CVE-2026-30932 | Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5. | [email protected] | 8.6 | 0.02% | 2026-03-24 | 2026-03-26 |
| CVE-2026-26279 | Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Exe | [email protected] | 9.1 | 0.86% | 2026-03-03 | 2026-03-05 |
| CVE-2025-48958 | Froxlor is open source server administration software. Prior to version 2.2.6, an HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and reputational damage by redirecting users to malicious external websites. The vulnerability has a medium severity, as it can be exploited through user input without authentication. Version 2.2.6 fixes the issue. | [email protected] | 5.5 | 0.17% | 2025-06-02 | 2025-06-25 |
| CVE-2025-29773 | Froxlor is open-source server administration software. A vulnerability in versions prior to 2.2.6 allows users (such as resellers or customers) to create accounts with the same email address as an existing account. This creates potential issues with account identification and security. This vulnerability can be exploited by authenticated users (e.g., reseller, customer) who can create accounts with the same email address that has already been used by another account, such as the admin. The attac | [email protected] | 5.8 | 0.07% | 2025-03-13 | 2025-04-03 |
| CVE-2023-50256 | Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue. | [email protected] | 7.5 | 0.06% | 2024-01-03 | 2024-11-21 |
| CVE-2023-6069 | Improper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0. | [email protected] | 9.9 | 0.25% | 2023-11-10 | 2024-11-21 |
| CVE-2023-4829 | Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22. | [email protected] | 5.4 | 0.07% | 2023-10-13 | 2024-11-21 |
| CVE-2023-5564 | Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1. | [email protected] | 4.8 | 0.05% | 2023-10-13 | 2024-11-21 |
| CVE-2023-4304 | Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.22,2.1.0. | [email protected] | 3.8 | 0.16% | 2023-08-11 | 2024-11-21 |
| CVE-2023-3668 | Improper Encoding or Escaping of Output in GitHub repository froxlor/froxlor prior to 2.0.21. | [email protected] | 7.2 | 0.07% | 2023-07-14 | 2024-11-21 |
| CVE-2023-3192 | Session Fixation in GitHub repository froxlor/froxlor prior to 2.1.0. | [email protected] | 5.4 | 0.15% | 2023-06-11 | 2024-11-21 |
| CVE-2023-3173 | Improper Restriction of Excessive Authentication Attempts in GitHub repository froxlor/froxlor prior to 2.0.20. | [email protected] | 9.8 | 0.10% | 2023-06-09 | 2024-11-21 |
| CVE-2023-3172 | Path Traversal in GitHub repository froxlor/froxlor prior to 2.0.20. | [email protected] | 7.2 | 0.26% | 2023-06-09 | 2024-11-21 |
| CVE-2023-2666 | Allocation of Resources Without Limits or Throttling in GitHub repository froxlor/froxlor prior to 2.0.16. | [email protected] | 7.5 | 0.23% | 2023-05-12 | 2024-11-21 |