彙總 froxlor 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 跨站腳本、路徑處理缺陷、CSRF與輸入驗證問題,在 生產負載與軟體部署 使用場景中可能帶來 工作階段劫持、檔案覆寫與異常行為 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-41233 | Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota (since the wrong admin's `domains_used` counter is incremented) and potentially exhausting another admin's quota. Version 2.3.6 fixes | [email protected] | 5.4 | 0.05% | 2026-04-23 | 2026-04-27 |
| CVE-2026-41232 | Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customer | [email protected] | 5.0 | 0.03% | 2026-04-23 | 2026-04-27 |
| CVE-2026-41231 | Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of | [email protected] | 7.5 | 0.07% | 2026-04-23 | 2026-04-27 |
| CVE-2026-41230 | Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into B | [email protected] | 8.5 | 0.05% | 2026-04-23 | 2026-04-27 |
| CVE-2026-41229 | Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server via the API, the `privileged_user` parameter (which has no input validation) is written unescaped into `lib/userdata.inc.php`. Since this file is `require`d on every request via `Database::getDB()`, an attacker | [email protected] | 9.1 | 0.05% | 2026-04-23 | 2026-04-27 |
| CVE-2026-41228 | Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value a | [email protected] | 9.9 | 0.06% | 2026-04-23 | 2026-04-27 |
| CVE-2026-30932 | Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5. | [email protected] | 8.6 | 0.02% | 2026-03-24 | 2026-03-26 |
| CVE-2026-26279 | Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Exe | [email protected] | 9.1 | 0.86% | 2026-03-03 | 2026-03-05 |
| CVE-2025-48958 | Froxlor is open source server administration software. Prior to version 2.2.6, an HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and reputational damage by redirecting users to malicious external websites. The vulnerability has a medium severity, as it can be exploited through user input without authentication. Version 2.2.6 fixes the issue. | [email protected] | 5.5 | 0.17% | 2025-06-02 | 2025-06-25 |
| CVE-2025-29773 | Froxlor is open-source server administration software. A vulnerability in versions prior to 2.2.6 allows users (such as resellers or customers) to create accounts with the same email address as an existing account. This creates potential issues with account identification and security. This vulnerability can be exploited by authenticated users (e.g., reseller, customer) who can create accounts with the same email address that has already been used by another account, such as the admin. The attac | [email protected] | 5.8 | 0.07% | 2025-03-13 | 2025-04-03 |
| CVE-2023-50256 | Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue. | [email protected] | 7.5 | 0.06% | 2024-01-03 | 2024-11-21 |
| CVE-2023-6069 | Improper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0. | [email protected] | 9.9 | 0.25% | 2023-11-10 | 2024-11-21 |
| CVE-2023-4829 | Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22. | [email protected] | 5.4 | 0.07% | 2023-10-13 | 2024-11-21 |
| CVE-2023-5564 | Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1. | [email protected] | 4.8 | 0.05% | 2023-10-13 | 2024-11-21 |
| CVE-2023-4304 | Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.22,2.1.0. | [email protected] | 3.8 | 0.16% | 2023-08-11 | 2024-11-21 |
| CVE-2023-3668 | Improper Encoding or Escaping of Output in GitHub repository froxlor/froxlor prior to 2.0.21. | [email protected] | 7.2 | 0.07% | 2023-07-14 | 2024-11-21 |
| CVE-2023-3192 | Session Fixation in GitHub repository froxlor/froxlor prior to 2.1.0. | [email protected] | 5.4 | 0.15% | 2023-06-11 | 2024-11-21 |
| CVE-2023-3173 | Improper Restriction of Excessive Authentication Attempts in GitHub repository froxlor/froxlor prior to 2.0.20. | [email protected] | 9.8 | 0.10% | 2023-06-09 | 2024-11-21 |
| CVE-2023-3172 | Path Traversal in GitHub repository froxlor/froxlor prior to 2.0.20. | [email protected] | 7.2 | 0.26% | 2023-06-09 | 2024-11-21 |
| CVE-2023-2666 | Allocation of Resources Without Limits or Throttling in GitHub repository froxlor/froxlor prior to 2.0.16. | [email protected] | 7.5 | 0.23% | 2023-05-12 | 2024-11-21 |