Cyber Posture

CVE-2026-26279

CriticalPublic PoC

Published: 03 March 2026

Published
03 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0086 75.2th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to…

more

store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly enforces validation of email-type inputs like panel.adminmail to prevent storage of arbitrary strings containing command injection payloads such as the whitelisted pipe character.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the specific software flaw—a validation typo using == instead of =—through patching to Froxlor version 2.3.4.

CM-7 Least Functionality partial match
prevent

Limits the server administration software to least functionality by prohibiting or restricting root cron jobs that concatenate untrusted configuration data into shell commands.

Security SummaryAI

CVE-2026-26279 is a critical vulnerability in Froxlor, an open source server administration software. Prior to version 2.3.4, a typo in the input validation code—using == instead of =—completely disables email format checking for all settings fields declared as email type. This flaw allows arbitrary strings to be stored in the panel.adminmail setting, which is later concatenated into a shell command executed as root by a cron job. The pipe character | is explicitly whitelisted in this command, enabling command injection. The vulnerability is associated with CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-482 (Comparing instead of Assigning), and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

An authenticated administrator can exploit this vulnerability remotely with low complexity. By supplying a malicious string containing a whitelisted pipe character to the panel.adminmail field, the attacker injects arbitrary commands into the root-executed cron job shell command. Successful exploitation results in full root-level remote code execution on the server.

The Froxlor security advisory (GHSA-33mp-8p67-xj7c) details the issue and confirms it is fixed in version 2.3.4. The patching commit (22249677107f8f39f8d4a238605641e87dab4343) corrects the validation typo, and administrators are directed to upgrade to the 2.3.4 release for mitigation.

Details

CWE(s)
CWE-78CWE-482

Affected Products

froxlor
froxlor
≤ 2.3.4

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

The vulnerability enables exploitation for privilege escalation (T1068) from authenticated admin to root RCE via command injection (T1059.004 Unix Shell) in a root cron job on a remote service (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References