Vendor CVEs
Froxlor
All CVEs
47 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-41228 | Cri | 0.57 | 9.9 | 0.01 | Apr 23, 2026 | Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set… | ||
| CVE-2015-5959 | Cri | 0.57 | 9.8 | 0.03 | Sep 6, 2017 | Froxlor before 0.9.33.2 with the default configuration/setup might allow remote attackers to obtain the database password by reading /logs/sql-error.log. | ||
| CVE-2016-5100 | Cri | 0.57 | 9.8 | 0.02 | Feb 13, 2017 | Froxlor before 0.9.35 uses the PHP rand function for random number generation, which makes it easier for remote attackers to guess the password reset token by predicting a value. | ||
| CVE-2024-34070 | Cri | 0.55 | 9.6 | 0.01 | May 14, 2024 | Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting (XSS) vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the… | ||
| CVE-2026-41229 | Cri | 0.52 | 9.1 | 0.00 | Apr 23, 2026 | Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a… | ||
| CVE-2026-41236 | Hig | 0.50 | 8.8 | 0.00 | Jun 4, 2026 | Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled… | ||
| CVE-2026-41237 | Hig | 0.49 | — | 0.00 | Jun 4, 2026 | Froxlor is open source server administration software. In version 2.3.6 and earlier, the LOC record regex uses `\s+` which matches newlines (allowing embedded newlines to pass), TLSA `matchingType=0` has no upper bound on hex data length, and all validators return raw input… | ||
| CVE-2026-41235 | Hig | 0.49 | — | 0.00 | Jun 4, 2026 | Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when… | ||
| CVE-2026-41230 | Hig | 0.48 | 8.5 | 0.00 | Apr 23, 2026 | Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation… | ||
| CVE-2026-41234 | Hig | 0.42 | 7.6 | 0.00 | Jun 4, 2026 | Froxlor is open source server administration software. Prior to version 2.3.7, the `DomainZones.add` API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which… | ||
| CVE-2026-41231 | Hig | 0.42 | 7.5 | 0.00 | Apr 23, 2026 | Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that… | ||
| CVE-2020-36978 | Med | 0.42 | 6.4 | 0.00 | Jan 27, 2026 | Froxlor Server Management Panel 0.10.16 contains a persistent cross-site scripting vulnerability in customer registration input fields. Attackers can inject malicious scripts through username, name, and firstname parameters to execute code when administrators view customer… | ||
| CVE-2026-52793 | hig | 0.38 | — | 0.00 | Jun 3, 2026 | ## Summary Froxlor's API authentication (`FroxlorRPC::validateAuth`) does not enforce Two-Factor Authentication. When a user (admin or customer) enables 2FA on their account, the web UI correctly requires a TOTP code after password verification. However, the API accepts… | ||
| CVE-2026-41233 | Med | 0.28 | 5.4 | 0.00 | Apr 23, 2026 | Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller… | ||
| CVE-2026-41232 | Med | 0.26 | 5.0 | 0.00 | Apr 23, 2026 | Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to… | ||
| CVE-2023-0315 | 0.04 | — | 0.98 | Jan 16, 2023 | Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8. | |||
| CVE-2026-30932 | 0.00 | — | 0.01 | Mar 24, 2026 | Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and… | |||
| CVE-2026-26279 | 0.00 | — | 0.01 | Mar 3, 2026 | Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary… | |||
| CVE-2025-48958 | 0.00 | — | 0.00 | Jun 2, 2025 | Froxlor is open source server administration software. Prior to version 2.2.6, an HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and… | |||
| CVE-2025-29773 | 0.00 | — | 0.00 | Mar 13, 2025 | Froxlor is open-source server administration software. A vulnerability in versions prior to 2.2.6 allows users (such as resellers or customers) to create accounts with the same email address as an existing account. This creates potential issues with account identification and… | |||
| CVE-2023-50256 | 0.00 | — | 0.01 | Jan 3, 2024 | Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory… | |||
| CVE-2023-6069 | 0.00 | — | 0.01 | Nov 10, 2023 | Improper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0. | |||
| CVE-2023-4829 | 0.00 | — | 0.00 | Oct 13, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22. | |||
| CVE-2023-5564 | 0.00 | — | 0.00 | Oct 13, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1. | |||
| CVE-2023-4304 | 0.00 | — | 0.00 | Aug 11, 2023 | Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.22,2.1.0. | |||
| CVE-2023-3668 | 0.00 | — | 0.01 | Jul 14, 2023 | Improper Encoding or Escaping of Output in GitHub repository froxlor/froxlor prior to 2.0.21. | |||
| CVE-2023-3192 | 0.00 | — | 0.00 | Jun 11, 2023 | Session Fixation in GitHub repository froxlor/froxlor prior to 2.1.0. | |||
| CVE-2023-3172 | 0.00 | — | 0.01 | Jun 9, 2023 | Path Traversal in GitHub repository froxlor/froxlor prior to 2.0.20. | |||
| CVE-2023-3173 | 0.00 | — | 0.01 | Jun 9, 2023 | Improper Restriction of Excessive Authentication Attempts in GitHub repository froxlor/froxlor prior to 2.0.20. | |||
| CVE-2023-2666 | 0.00 | — | 0.01 | May 12, 2023 | Allocation of Resources Without Limits or Throttling in GitHub repository froxlor/froxlor prior to 2.0.16. | |||
| CVE-2023-2034 | 0.00 | — | 0.73 | Apr 14, 2023 | Unrestricted Upload of File with Dangerous Type in GitHub repository froxlor/froxlor prior to 2.0.14. | |||
| CVE-2023-1307 | 0.00 | — | 0.01 | Mar 10, 2023 | Authentication Bypass by Primary Weakness in GitHub repository froxlor/froxlor prior to 2.0.13. | |||
| CVE-2023-1033 | 0.00 | — | 0.00 | Feb 25, 2023 | Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.11. | |||
| CVE-2023-0877 | 0.00 | — | 0.04 | Feb 17, 2023 | Code Injection in GitHub repository froxlor/froxlor prior to 2.0.11. | |||
| CVE-2023-0671 | 0.00 | — | 0.01 | Feb 4, 2023 | Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10. | |||
| CVE-2023-0572 | 0.00 | — | 0.01 | Jan 29, 2023 | Unchecked Error Condition in GitHub repository froxlor/froxlor prior to 2.0.10. | |||
| CVE-2023-0565 | 0.00 | — | 0.01 | Jan 29, 2023 | Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.10. | |||
| CVE-2023-0566 | 0.00 | — | 0.00 | Jan 29, 2023 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in froxlor/froxlor prior to 2.0.10. | |||
| CVE-2023-0564 | 0.00 | — | 0.00 | Jan 29, 2023 | Weak Password Requirements in GitHub repository froxlor/froxlor prior to 2.0.10. | |||
| CVE-2023-0316 | 0.00 | — | 0.01 | Jan 16, 2023 | Path Traversal: '\..\filename' in GitHub repository froxlor/froxlor prior to 2.0.0. | |||
| CVE-2022-4867 | 0.00 | — | 0.00 | Dec 31, 2022 | Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. | |||
| CVE-2022-4868 | 0.00 | — | 0.01 | Dec 31, 2022 | Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. | |||
| CVE-2022-4864 | 0.00 | — | 0.00 | Dec 30, 2022 | Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. | |||
| CVE-2022-3869 | 0.00 | — | 0.01 | Nov 5, 2022 | Code Injection in GitHub repository froxlor/froxlor prior to 0.10.38.2. | |||
| CVE-2022-3721 | 0.00 | — | 0.01 | Nov 4, 2022 | Code Injection in GitHub repository froxlor/froxlor prior to 0.10.39. | |||
| CVE-2022-3017 | 0.00 | — | 0.00 | Aug 28, 2022 | Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 0.10.38. | |||
| CVE-2020-29653 | 0.00 | — | 0.01 | Apr 13, 2022 | Froxlor through 0.10.22 does not perform validation on user input passed in the customermail GET parameter. The value of this parameter is reflected in the login webpage, allowing the injection of arbitrary HTML tags. |
- risk 0.57cvss 9.9epss 0.01
Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set…
- risk 0.57cvss 9.8epss 0.03
Froxlor before 0.9.33.2 with the default configuration/setup might allow remote attackers to obtain the database password by reading /logs/sql-error.log.
- risk 0.57cvss 9.8epss 0.02
Froxlor before 0.9.35 uses the PHP rand function for random number generation, which makes it easier for remote attackers to guess the password reset token by predicting a value.
- risk 0.55cvss 9.6epss 0.01
Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting (XSS) vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the…
- risk 0.52cvss 9.1epss 0.00
Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings` permission adds or updates a…
- risk 0.50cvss 8.8epss 0.00
Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled…
- risk 0.49cvss —epss 0.00
Froxlor is open source server administration software. In version 2.3.6 and earlier, the LOC record regex uses `\s+` which matches newlines (allowing embedded newlines to pass), TLSA `matchingType=0` has no upper bound on hex data length, and all validators return raw input…
- risk 0.49cvss —epss 0.00
Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when…
- risk 0.48cvss 8.5epss 0.00
Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation…
- risk 0.42cvss 7.6epss 0.00
Froxlor is open source server administration software. Prior to version 2.3.7, the `DomainZones.add` API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which…
- risk 0.42cvss 7.5epss 0.00
Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that…
- risk 0.42cvss 6.4epss 0.00
Froxlor Server Management Panel 0.10.16 contains a persistent cross-site scripting vulnerability in customer registration input fields. Attackers can inject malicious scripts through username, name, and firstname parameters to execute code when administrators view customer…
- risk 0.38cvss —epss 0.00
## Summary Froxlor's API authentication (`FroxlorRPC::validateAuth`) does not enforce Two-Factor Authentication. When a user (admin or customer) enables 2FA on their account, the web UI correctly requires a TOTP code after password verification. However, the API accepts…
- risk 0.28cvss 5.4epss 0.00
Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used without validation when the calling reseller does not have the `customers_see_all` permission. This allows a reseller…
- risk 0.26cvss 5.0epss 0.00
Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to…
- CVE-2023-0315Jan 16, 2023risk 0.04cvss —epss 0.98
Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8.
- CVE-2026-30932Mar 24, 2026risk 0.00cvss —epss 0.01
Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and…
- CVE-2026-26279Mar 3, 2026risk 0.00cvss —epss 0.01
Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary…
- CVE-2025-48958Jun 2, 2025risk 0.00cvss —epss 0.00
Froxlor is open source server administration software. Prior to version 2.2.6, an HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email section. This can lead to phishing attacks, credential theft, and…
- CVE-2025-29773Mar 13, 2025risk 0.00cvss —epss 0.00
Froxlor is open-source server administration software. A vulnerability in versions prior to 2.2.6 allows users (such as resellers or customers) to create accounts with the same email address as an existing account. This creates potential issues with account identification and…
- CVE-2023-50256Jan 3, 2024risk 0.00cvss —epss 0.01
Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory…
- CVE-2023-6069Nov 10, 2023risk 0.00cvss —epss 0.01
Improper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0.
- CVE-2023-4829Oct 13, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.0.22.
- CVE-2023-5564Oct 13, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1.
- CVE-2023-4304Aug 11, 2023risk 0.00cvss —epss 0.00
Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.22,2.1.0.
- CVE-2023-3668Jul 14, 2023risk 0.00cvss —epss 0.01
Improper Encoding or Escaping of Output in GitHub repository froxlor/froxlor prior to 2.0.21.
- CVE-2023-3192Jun 11, 2023risk 0.00cvss —epss 0.00
Session Fixation in GitHub repository froxlor/froxlor prior to 2.1.0.
- CVE-2023-3172Jun 9, 2023risk 0.00cvss —epss 0.01
Path Traversal in GitHub repository froxlor/froxlor prior to 2.0.20.
- CVE-2023-3173Jun 9, 2023risk 0.00cvss —epss 0.01
Improper Restriction of Excessive Authentication Attempts in GitHub repository froxlor/froxlor prior to 2.0.20.
- CVE-2023-2666May 12, 2023risk 0.00cvss —epss 0.01
Allocation of Resources Without Limits or Throttling in GitHub repository froxlor/froxlor prior to 2.0.16.
- CVE-2023-2034Apr 14, 2023risk 0.00cvss —epss 0.73
Unrestricted Upload of File with Dangerous Type in GitHub repository froxlor/froxlor prior to 2.0.14.
- CVE-2023-1307Mar 10, 2023risk 0.00cvss —epss 0.01
Authentication Bypass by Primary Weakness in GitHub repository froxlor/froxlor prior to 2.0.13.
- CVE-2023-1033Feb 25, 2023risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.11.
- CVE-2023-0877Feb 17, 2023risk 0.00cvss —epss 0.04
Code Injection in GitHub repository froxlor/froxlor prior to 2.0.11.
- CVE-2023-0671Feb 4, 2023risk 0.00cvss —epss 0.01
Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10.
- CVE-2023-0572Jan 29, 2023risk 0.00cvss —epss 0.01
Unchecked Error Condition in GitHub repository froxlor/froxlor prior to 2.0.10.
- CVE-2023-0565Jan 29, 2023risk 0.00cvss —epss 0.01
Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.10.
- CVE-2023-0566Jan 29, 2023risk 0.00cvss —epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in froxlor/froxlor prior to 2.0.10.
- CVE-2023-0564Jan 29, 2023risk 0.00cvss —epss 0.00
Weak Password Requirements in GitHub repository froxlor/froxlor prior to 2.0.10.
- CVE-2023-0316Jan 16, 2023risk 0.00cvss —epss 0.01
Path Traversal: '\..\filename' in GitHub repository froxlor/froxlor prior to 2.0.0.
- CVE-2022-4867Dec 31, 2022risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.
- CVE-2022-4868Dec 31, 2022risk 0.00cvss —epss 0.01
Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.
- CVE-2022-4864Dec 30, 2022risk 0.00cvss —epss 0.00
Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.
- CVE-2022-3869Nov 5, 2022risk 0.00cvss —epss 0.01
Code Injection in GitHub repository froxlor/froxlor prior to 0.10.38.2.
- CVE-2022-3721Nov 4, 2022risk 0.00cvss —epss 0.01
Code Injection in GitHub repository froxlor/froxlor prior to 0.10.39.
- CVE-2022-3017Aug 28, 2022risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 0.10.38.
- CVE-2020-29653Apr 13, 2022risk 0.00cvss —epss 0.01
Froxlor through 0.10.22 does not perform validation on user input passed in the customermail GET parameter. The value of this parameter is reflected in the login webpage, allowing the injection of arbitrary HTML tags.