CVE-2026-26279 CRITICAL

CVE-2026-26279: Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection

Vendor Froxlor

Product Froxlor

Weakness CWE-78

Published March 3, 2026

Last update March 4, 2026

View on NVD All CVEs

CVSS base score

9.1/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.

Key dates

02Disclosure timeline

March 3, 2026 CVE published

March 4, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-26279

Related vulnerabilities

CVE-2026-26279: Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection

01Description

02Disclosure timeline

03References

04Related CVE