Lucene search
K

661 matches found

EUVD
EUVD
added 2026/04/23 3:52 a.m.9 views

EUVD-2026-25182

Froxlor is open source server administration software. Prior to version 2.3.6, DataDump.add constructs the export destination path from user-supplied input without passing the $fixedhomedir parameter to FileDir::makeCorrectDir, bypassing the symlink validation that was added to all other...

9.9CVSS5.9AI score0.00836EPSS
Exploits2References3
Cvelist
Cvelist
added 2026/04/23 3:52 a.m.32 views

CVE-2026-41231 Froxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownership Takeover via Cron

Froxlor is open source server administration software. Prior to version 2.3.6, DataDump.add constructs the export destination path from user-supplied input without passing the $fixedhomedir parameter to FileDir::makeCorrectDir, bypassing the symlink validation that was added to all other...

7.5CVSS0.00414EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/04/23 3:47 a.m.3 views

CVE-2026-41230 Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()

Froxlor is open source server administration software. Prior to version 2.3.6, DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted e.g.,...

8.5CVSS5.8AI score0.00347EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/23 3:47 a.m.41 views

CVE-2026-41230 Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()

Froxlor is open source server administration software. Prior to version 2.3.6, DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted e.g.,...

8.5CVSS0.00347EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/04/23 3:47 a.m.4 views

CVE-2026-41230

Froxlor is open source server administration software. Prior to version 2.3.6, DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted e.g.,...

8.5CVSS5.8AI score0.00347EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/04/23 3:47 a.m.5 views

EUVD-2026-25180

Froxlor is open source server administration software. Prior to version 2.3.6, DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted e.g.,...

8.5CVSS5.8AI score0.00347EPSS
Exploits1References3
CVE
CVE
added 2026/04/23 3:47 a.m.16 views

CVE-2026-41230

CVE-2026-41230 affects Froxlor prior to 2.3.6 through DomainZones::add(), where arbitrary DNS record types and newline-containing content are not sanitized. This allows an authenticated user to inject DNS records and BIND directives (e.g., $INCLUDE, $ORIGIN, $GENERATE) into zone files by submitti...

8.5CVSS5.8AI score0.00347EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 2026/04/23 3:44 a.m.27 views

CVE-2026-41229 Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)

Froxlor is open source server administration software. Prior to version 2.3.6, PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with changeserversettings permission adds or updates a MySQL server via the API, t...

9.1CVSS0.0048EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/04/23 3:44 a.m.4 views

CVE-2026-41229 Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)

Froxlor is open source server administration software. Prior to version 2.3.6, PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with changeserversettings permission adds or updates a MySQL server via the API, t...

9.1CVSS5.9AI score0.0048EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/04/23 3:44 a.m.5 views

CVE-2026-41229

Froxlor is open source server administration software. Prior to version 2.3.6, PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with changeserversettings permission adds or updates a MySQL server via the API, t...

9.1CVSS5.9AI score0.0048EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/04/23 3:44 a.m.6 views

EUVD-2026-25178

Froxlor is open source server administration software. Prior to version 2.3.6, PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with changeserversettings permission adds or updates a MySQL server via the API, t...

9.1CVSS5.9AI score0.0048EPSS
Exploits1References3
CVE
CVE
added 2026/04/23 3:44 a.m.19 views

CVE-2026-41229

Summary (CVE-2026-41229) Froxlor prior to v2.3.6 contains a PHP code injection flaw in the generation of userdata.inc.php. PhpHelper::parseArrayToString() writes string values into single-quoted PHP literals without escaping single quotes. When an admin with change_serversettings updates a MySQL ...

9.1CVSS5.9AI score0.0048EPSS
Exploits1References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/23 3:41 a.m.6 views

CVE-2026-41228

Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint Customers.update and Admins.update does not validate the deflanguage parameter against the list of available language files. An authenticated customer can set deflanguage to a path traversal...

9.9CVSS6.3AI score0.00524EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/23 3:41 a.m.5 views

CVE-2026-41228 Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to Remote Code Execution

Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint Customers.update and Admins.update does not validate the deflanguage parameter against the list of available language files. An authenticated customer can set deflanguage to a path traversal...

9.9CVSS6.3AI score0.00524EPSS
Exploits1References3
EUVD
EUVD
added 2026/04/23 3:41 a.m.4 views

EUVD-2026-25176

Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint Customers.update and Admins.update does not validate the deflanguage parameter against the list of available language files. An authenticated customer can set deflanguage to a path traversal...

9.9CVSS6.3AI score0.00524EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/23 3:41 a.m.32 views

CVE-2026-41228 Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to Remote Code Execution

Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint Customers.update and Admins.update does not validate the deflanguage parameter against the list of available language files. An authenticated customer can set deflanguage to a path traversal...

9.9CVSS0.00524EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/23 12:0 a.m.8 views

PT-2026-34633

Froxlor is open source server administration software. Prior to version 2.3.6, PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with change serversettings permission adds or updates a MySQL server via the API,...

9.1CVSS5.9AI score0.0048EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/23 12:0 a.m.9 views

PT-2026-34637

Froxlor is open source server administration software. Prior to version 2.3.6, in EmailSender::add, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to...

5CVSS5.8AI score0.00231EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/23 12:0 a.m.12 views

PT-2026-34635

Froxlor is open source server administration software. Prior to version 2.3.6, DataDump.add constructs the export destination path from user-supplied input without passing the $fixed homedir parameter to FileDir::makeCorrectDir, bypassing the symlink validation that was added to all other...

7.5CVSS5.9AI score0.00414EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/04/23 12:0 a.m.10 views

Froxlor 代码注入漏洞

Froxlor is a set of lightweight server management software developed by the Froxlor team. Versions of Froxlor prior to 2.3.6 contained a code injection vulnerability. This vulnerability stemmed from the PhpHelper::parseArrayToString function, which did not escape single quotes when writing PHP...

9.1CVSS6AI score0.0048EPSS
Exploits1References1
Rows per page
Query Builder