cbcvebase.
CVE-2026-26279
published 2026-03-03

CVE-2026-26279: Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email…

PriorityP262critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EPSS
0.80%
52.0th percentile
Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.

Affected

2 ranges
VendorProductVersion rangeFixed in
froxlorfroxlor< 2.3.42.3.4
froxlorfroxlor>= 0 < 2.3.42.3.4

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable setting is `panel.adminmail` — monitor for admin modifications to this setting that contain shell metacharacters, especially the pipe character `|`, which is explicitly whitelisted in the shell command construction.
  • Detect exploitation attempts by auditing Froxlor admin panel activity for email-type settings fields containing non-email strings (e.g., strings with `|`, `;`, `$()`, backticks) stored in the database, particularly in the `panel.adminmail` setting.
  • Monitor cron job execution context for unexpected child processes spawned as root that originate from Froxlor's cron job, which may indicate successful RCE via the injected `panel.adminmail` value.
  • ·Vulnerability only affects Froxlor versions prior to 2.3.4; upgrade to 2.3.4 or later to remediate. The root cause is a typo (`==` instead of `=`) in input validation, meaning all email-type settings fields are affected, not just `panel.adminmail`.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
ghsa7.8HIGH
osv7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.