Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

froxlor — Vulnerabilities & Security Advisories 43

Browse all 43 CVE security advisories affecting froxlor. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Froxlor is an open-source web hosting control panel designed to automate the management of web, DNS, mail, and database services for system administrators. Its architecture, primarily built in PHP, has historically exposed it to a significant volume of security flaws, currently totaling 39 recorded Common Vulnerabilities and Exposures. The most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL Injection, often stemming from insufficient input validation and improper access controls within its administrative interface. Privilege escalation remains a critical concern, allowing unauthenticated or low-privileged users to gain elevated system access. While no single catastrophic global incident has defined its history, the sheer number of disclosed CVEs indicates systemic weaknesses in code review and security hardening. Administrators relying on this platform must prioritize rigorous patch management and network segmentation to mitigate the risk of exploitation inherent in its long-standing codebase.

Low2026-06-13
validate dns LOC, RP, SSHFP and TLSA record-content according to spec… · froxlor/froxlor@b348292 · GitHub
High2026-06-13
Authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement · Advisory · froxlor
HighCVE-2026-412342026-06-13
BIND Zone File Injection via TXT Record Content · Advisory · froxlor/froxlor · GitHub
HighCVE-2026-309322026-06-13
Incomplete fix for CVE-2026-30932 in froxlor · Advisory · froxlor/froxlor · GitHub
High2026-06-13
Privilege escalation in SSH key synchronization via symlinked `authorized_keys` path · Advisory · froxlor/froxlor · GitH
MediumCVE-2026-42322026-04-23
Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing · Advisory · froxl
High2026-04-23
Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add() · Advisory · froxlor/froxlor · GitHub
Medium2026-04-23
add validation for DNS NAPTR record content · froxlor/froxlor@47a8af5 · GitHub
Critical2026-04-23
Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution · Advisory · frox
Medium2026-04-23
validate def_language parameter against existing language files and a… · froxlor/froxlor@bc5e6db · GitHub
Medium2026-04-23
fix escaping of single-quotes in generation of userdata.inc.php and v… · froxlor/froxlor@3589ddf · GitHub
HighCVE-2024-412302026-04-23
BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add() · Advisory · froxlor/froxlor · GitHub
High2026-04-23
add symlink-validation to data-export · froxlor/froxlor@2987b0e · GitHub
HighCVE-2024-412312026-04-23
Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron · Advisory · frox
CriticalCVE-2026-42292026-04-23
PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API) · Advisory · froxlor/fro
MediumCVE-2025-18582025-06-03
HTML Injection · Advisory · froxlor/Froxlor · GitHub

Showing up to 20 recent security advisories. View all →

This page lists every published CVE security advisory associated with froxlor. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.