CVE-2026-26279
published 2026-03-03CVE-2026-26279: Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email…
PriorityP262critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EPSS
0.80%
52.0th percentile
Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| froxlor | froxlor | < 2.3.4 | 2.3.4 |
| froxlor | froxlor | >= 0 < 2.3.4 | 2.3.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable setting is `panel.adminmail` — monitor for admin modifications to this setting that contain shell metacharacters, especially the pipe character `|`, which is explicitly whitelisted in the shell command construction. ↗
- →Detect exploitation attempts by auditing Froxlor admin panel activity for email-type settings fields containing non-email strings (e.g., strings with `|`, `;`, `$()`, backticks) stored in the database, particularly in the `panel.adminmail` setting. ↗
- →Monitor cron job execution context for unexpected child processes spawned as root that originate from Froxlor's cron job, which may indicate successful RCE via the injected `panel.adminmail` value. ↗
- ·Vulnerability only affects Froxlor versions prior to 2.3.4; upgrade to 2.3.4 or later to remediate. The root cause is a typo (`==` instead of `=`) in input validation, meaning all email-type settings fields are affected, not just `panel.adminmail`. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
ghsa7.8HIGH
osv7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Froxlor has Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection
ghsa·2026-03-03·CVSS 7.8
CVE-2026-26279 [HIGH] CWE-482 Froxlor has Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection
Froxlor has Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection
## Summary
A typo in Froxlor's input validation code (`==` instead of `=`) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings — including shell metacharacters — in the `panel.adminmail` setting. This value is later concatenated into a shell command executed as **root** by a cron job, where the pipe character `|` is explicitly whitelisted. The result is **full root-level Remote Code Execution**.
---
## Why This Is a Security Vulnerability (Not Just "Admin Using Admin Features")
Froxlor is a **shared hosting control panel**. In production deployments:
1. **Admin panel access does not equal
OSV
Froxlor has Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection
osv·2026-03-03·CVSS 7.8
CVE-2026-26279 [HIGH] Froxlor has Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection
Froxlor has Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection
## Summary
A typo in Froxlor's input validation code (`==` instead of `=`) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings — including shell metacharacters — in the `panel.adminmail` setting. This value is later concatenated into a shell command executed as **root** by a cron job, where the pipe character `|` is explicitly whitelisted. The result is **full root-level Remote Code Execution**.
---
## Why This Is a Security Vulnerability (Not Just "Admin Using Admin Features")
Froxlor is a **shared hosting control panel**. In production deployments:
1. **Admin panel access does not equal
No detection rules found.
No public exploits indexed.
2026-03-03
Published