Home / Vulnerability Intelligence / CVE-2026-41228

CVE-2026-41228 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: April 24, 2026

Froxlor - Remote Code Execution

Published: April 23, 2026Updated: April 24, 2026Remote Exploitable

Overview

Froxlor < 2.3.6 contains a remote code execution caused by improper validation of def_language parameter in Customers.update and Admins.update API endpoints, letting authenticated customers execute arbitrary PHP code via path traversal payloads.

Severity & Score

Severity: Critical

CVSS Score: 9.9

EPSS Score: 5.5%(Probability of exploitation in next 30 days)

Impact

Authenticated customers can execute arbitrary PHP code as the web server user, potentially leading to full server compromise.

Mitigation

Upgrade to version 2.3.6 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 23, 2026

🔴 CVE-2026-41228 - Critical (9.9) Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authen... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41228/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-41228
Severity: Critical
CVSS Score: 9.9
Type: command_injection
Status: unconfirmed
EPSS: 5.5%
Social Posts: 1

CWE

CWE-98

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

5.5%Probability of exploitation in the next 30 days