Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-26279

Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection
Back to all
CVE

CVE-2026-26279

Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection

Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
9.1
-
3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
C
H
U
-

Related Resources

No items found.

References

https://github.com/froxlor/froxlor/releases/tag/2.3.4, https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26279.json, https://github.com/froxlor/Froxlor/security/advisories/GHSA-33mp-8p67-xj7c, https://nvd.nist.gov/vuln/detail/CVE-2026-26279, https://github.com/froxlor/froxlor/commit/22249677107f8f39f8d4a238605641e87dab4343

Severity

9.1

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.1
EPSS Probability
0.009%
EPSS Percentile
0.76041%
Introduced Version
0
Fix Available
05b3228ebfa08f04ee7064d2452c68cdfa8fadae

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading