GHSA-F9RX-7WF7-JR36 Froxlor's API Authentication bypasses 2FA Authentication

Summary Froxlor's API authentication FroxlorRPC::validateAuth does not enforce Two-Factor Authentication. When a user admin or customer enables 2FA on their account, the web UI correctly requires a TOTP code after password verification. However, the API accepts requests authenticated with only an...

GHSA-37M5-M4Q3-FC6X Froxlor: BIND Zone File Injection via TXT Record Content

Summary The DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitra...

Froxlor: BIND Zone File Injection via TXT Record Content

Summary The DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitra...

Froxlor < 0.10.38.2. - HTML Injection

HTML Injection in GitHub repository froxlor/froxlor prior to 0.10.38.2. id: CVE-2022-3869 info: name: Froxlor TEST" matchers-condition: and matchers: - type: word part: body words: - 'The message to ""TEST" failed' - type: word part: header words: - "text/html" - type: status status: - 200 d...

Froxlor has an incomplete fix for CVE-2026-30932

Summary The LOC record regex uses \s+ which matches newlines allowing embedded newlines to pass, TLSA matchingType=0 has no upper bound on hex data length, and all validators return raw input without zone-file escaping. Affected Package - Ecosystem: Other - Package: froxlor - Affected versions: a...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the DnsEntry.php process. An attacker can inject arbitrary DNS records into zone...

Symlink Attack

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Symlink Attack via the SshKeys::generateFiles process. An attacker can gain unauthorized root-level SSH access by creating a symbolic link from the customer-controlled...

GHSA-MQ5V-PXPM-8JW2 Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path

Summary Froxlor 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to /.ssh/authorizedkeys under a customer-controlled home directory without verifying that the target path is not a symbolic...

Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path

Summary Froxlor 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to /.ssh/authorizedkeys under a customer-controlled home directory without verifying that the target path is not a symbolic...

Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement

Summary Froxlor 2.3.6 lets administrators configure system.availableshells as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer wi...

GHSA-GCV3-5V9Q-FMHH Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement

Summary Froxlor 2.3.6 lets administrators configure system.availableshells as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer wi...

Incorrect Authorization

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Incorrect Authorization via the Ftps::add and Ftps::update functions. An attacker can gain unauthorized shell access and escalate privileges by submitting an arbitrary shell value...

CVE-2026-41236

creationtimestamp| type| source ---|---|--- 2026-05-29 06:30:36+00:00| published-proof-of-concept| https://github.com/froxlor/froxlor/security/advisories/GHSA-mq5v-pxpm-8jw2...

CVE-2026-41235

creationtimestamp| type| source ---|---|--- 2026-05-29 06:30:24+00:00| published-proof-of-concept| https://github.com/froxlor/froxlor/security/advisories/GHSA-gcv3-5v9q-fmhh...

PT-2026-44906

Summary Froxlor 2.3.6 lets administrators configure system.available shells as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer...

PT-2026-44908

Summary The LOC record regex uses s+ which matches newlines allowing embedded newlines to pass, TLSA matchingType=0 has no upper bound on hex data length, and all validators return raw input without zone-file escaping. Affected Package - Ecosystem: Other - Package: froxlor - Affected versions: al...

PT-2026-44907

Summary Froxlor 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to /.ssh/authorized keys under a customer-controlled home directory without verifying that the target path is not a symboli...

Exploit for CVE-2024-34070

Exploit for CVE-2024-34070 Credit to froxlor for the vuln dis...

Arbitrary Code Injection

Froxlor is vulnerable to Arbitrary Code Injection. The vulnerability is due to improper escaping of single quotes in PhpHelper::parseArrayToString, which allows an attacker to inject arbitrary PHP code through the privilegeduser parameter that gets executed on subsequent requests...

CVE-2026-41232

Froxlor is open source server administration software. Prior to version 2.3.6, in EmailSender::add, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to...