Home / Vulnerability Intelligence / CVE-2026-41229

CVE-2026-41229 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 24, 2026

Froxlor - Remote Code Execution

Published: April 23, 2026Updated: April 24, 2026Remote Exploitable

Overview

Froxlor < 2.3.6 contains a code injection vulnerability caused by unescaped single quotes in PhpHelper::parseArrayToString() when writing the privileged_user parameter in lib/userdata.inc.php, letting attackers with change_serversettings permission execute arbitrary PHP code as the web server user, exploit requires admin privileges.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 4.1%(Probability of exploitation in next 30 days)

Impact

Attackers with admin privileges can execute arbitrary PHP code as the web server user, leading to full server compromise.

Mitigation

Update to version 2.3.6 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 23, 2026

🔴 CVE-2026-41229 - Critical (9.1) Froxlor is open source server administration software. Prior to version 2.3.6, `PhpHelper::parseArrayToString()` writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with `change_serversettings`... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41229/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-41229
Severity: Critical
CVSS Score: 9.1
Type: code_injection
Status: unconfirmed
EPSS: 4.1%
Social Posts: 1

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score

4.1%Probability of exploitation in the next 30 days