Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

froxlor — Vulnerabilities & Security Advisories 43

Browse all 43 CVE security advisories affecting froxlor. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Froxlor is an open-source web hosting control panel designed to automate the management of web, DNS, mail, and database services for system administrators. Its architecture, primarily built in PHP, has historically exposed it to a significant volume of security flaws, currently totaling 39 recorded Common Vulnerabilities and Exposures. The most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL Injection, often stemming from insufficient input validation and improper access controls within its administrative interface. Privilege escalation remains a critical concern, allowing unauthenticated or low-privileged users to gain elevated system access. While no single catastrophic global incident has defined its history, the sheer number of disclosed CVEs indicates systemic weaknesses in code review and security hardening. Administrators relying on this platform must prioritize rigorous patch management and network segmentation to mitigate the risk of exploitation inherent in its long-standing codebase.

CVE IDTitleCVSSSeverityPublished
CVE-2026-41237 Froxlor has an incomplete fix for CVE-2026-30932 — froxlorCWE-74--2026-06-04
CVE-2026-41236 Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path — froxlorCWE-59 8.8 High2026-06-04
CVE-2026-41235 Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement — froxlorCWE-863--2026-06-04
CVE-2026-41234 Froxlor: BIND Zone File Injection via TXT Record Content — froxlorCWE-74 7.6 High2026-06-04
CVE-2026-41233 Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add() — froxlorCWE-863 5.4 Medium2026-04-23
CVE-2026-41232 Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index that Allows Cross-Customer Email Spoofing — froxlorCWE-863 5.0 Medium2026-04-23
CVE-2026-41231 Froxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownership Takeover via Cron — froxlorCWE-59 7.5 High2026-04-23
CVE-2026-41230 Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add() — froxlorCWE-93 8.5 High2026-04-23
CVE-2026-41229 Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API) — froxlorCWE-94 9.1 Critical2026-04-23
CVE-2026-41228 Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to Remote Code Execution — froxlorCWE-98 10.0 Critical2026-04-23
CVE-2026-30932 Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API — froxlorCWE-74 7.5 -2026-03-24
CVE-2026-26279 Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection — FroxlorCWE-78 9.1 Critical2026-03-03
CVE-2020-36978 Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting — Froxlor Froxlor Server Management PanelCWE-79 6.4 Medium2026-01-27
CVE-2025-48958 Froxlor has an HTML Injection Vulnerability — FroxlorCWE-79 5.5 Medium2025-06-02
CVE-2025-29773 Froxlor allows Multiple Accounts to Share the Same Email Address Leading to Potential Privilege Escalation or Account Takeover — FroxlorCWE-287 5.8 Medium2025-03-13
CVE-2024-34070 Froxlor Vulnerable to Blind XSS Leading to Froxlor Application Compromise — FroxlorCWE-79 9.7 Critical2024-05-10
CVE-2023-50256 Froxlor username/surname AND company field Bypass — FroxlorCWE-20 7.5 High2024-01-03
CVE-2023-6069 Improper Link Resolution Before File Access in froxlor/froxlor — froxlor/froxlorCWE-59 9.9 Critical2023-11-10
CVE-2023-4829 Cross-site Scripting (XSS) - Stored in froxlor/froxlor — froxlor/froxlorCWE-79 5.4 -2023-10-13
CVE-2023-5564 Cross-site Scripting (XSS) - Stored in froxlor/froxlor — froxlor/froxlorCWE-79 5.4 -2023-10-13
CVE-2023-4304 Business Logic Errors in froxlor/froxlor — froxlor/froxlorCWE-840 3.8 Low2023-08-11
CVE-2023-3668 Improper Encoding or Escaping of Output in froxlor/froxlor — froxlor/froxlorCWE-116 8.3 -2023-07-14
CVE-2023-3192 Session Fixation in froxlor/froxlor — froxlor/froxlorCWE-384 7.6 -2023-06-11
CVE-2023-3172 Path Traversal in froxlor/froxlor — froxlor/froxlorCWE-22 2.7 -2023-06-09
CVE-2023-3173 Improper Restriction of Excessive Authentication Attempts in froxlor/froxlor — froxlor/froxlorCWE-307 9.4 -2023-06-09
CVE-2023-2666 Allocation of Resources Without Limits or Throttling in froxlor/froxlor — froxlor/froxlorCWE-770 8.1 -2023-05-12
CVE-2023-2034 Unrestricted Upload of File with Dangerous Type in froxlor/froxlor — froxlor/froxlorCWE-434 9.9 -2023-04-14
CVE-2023-1307 Authentication Bypass by Primary Weakness in froxlor/froxlor — froxlor/froxlorCWE-305 9.8 -2023-03-10
CVE-2023-1033 Cross-Site Request Forgery (CSRF) in froxlor/froxlor — froxlor/froxlorCWE-352 7.1 -2023-02-25
CVE-2023-0877 Code Injection in froxlor/froxlor — froxlor/froxlorCWE-94 4.6 -2023-02-17

This page lists every published CVE security advisory associated with froxlor. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.