Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

froxlor — Vulnerabilities & Security Advisories 39

Browse all 39 CVE security advisories affecting froxlor. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Froxlor is an open-source web hosting control panel designed to automate the management of web, DNS, mail, and database services for system administrators. Its architecture, primarily built in PHP, has historically exposed it to a significant volume of security flaws, currently totaling 39 recorded Common Vulnerabilities and Exposures. The most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL Injection, often stemming from insufficient input validation and improper access controls within its administrative interface. Privilege escalation remains a critical concern, allowing unauthenticated or low-privileged users to gain elevated system access. While no single catastrophic global incident has defined its history, the sheer number of disclosed CVEs indicates systemic weaknesses in code review and security hardening. Administrators relying on this platform must prioritize rigorous patch management and network segmentation to mitigate the risk of exploitation inherent in its long-standing codebase.

Found 12 results / 39Clear Filters
Top products by froxlor: froxlor/froxlor Froxlor Froxlor Froxlor Server Management Panel
CVE IDTitleCVSSSeverityPublished
CVE-2026-41233 Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add() — froxlorCWE-863 5.4 Medium2026-04-23
CVE-2026-41232 Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index that Allows Cross-Customer Email Spoofing — froxlorCWE-863 5.0 Medium2026-04-23
CVE-2026-41231 Froxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownership Takeover via Cron — froxlorCWE-59 7.5 High2026-04-23
CVE-2026-41230 Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add() — froxlorCWE-93 8.5 High2026-04-23
CVE-2026-41229 Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API) — froxlorCWE-94 9.1 Critical2026-04-23
CVE-2026-41228 Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to Remote Code Execution — froxlorCWE-98 10.0 Critical2026-04-23
CVE-2026-30932 Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API — froxlorCWE-74 7.5 -2026-03-24
CVE-2026-26279 Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection — FroxlorCWE-78 9.1 Critical2026-03-03
CVE-2025-48958 Froxlor has an HTML Injection Vulnerability — FroxlorCWE-79 5.5 Medium2025-06-02
CVE-2025-29773 Froxlor allows Multiple Accounts to Share the Same Email Address Leading to Potential Privilege Escalation or Account Takeover — FroxlorCWE-287 5.8 Medium2025-03-13
CVE-2024-34070 Froxlor Vulnerable to Blind XSS Leading to Froxlor Application Compromise — FroxlorCWE-79 9.7 Critical2024-05-10
CVE-2023-50256 Froxlor username/surname AND company field Bypass — FroxlorCWE-20 7.5 High2024-01-03

This page lists every published CVE security advisory associated with froxlor. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.