CVE-2026-26279

Name of the Vulnerable Software and Affected Versions Froxlor versions prior to 2.3.4

Description Froxlor is open source server administration software. A typo in the input validation code (using '==' instead of '=') disables email format checking for settings fields designated as email type. This allows an authenticated administrator to store arbitrary strings in the panel.adminmail setting. This value is then incorporated into a shell command executed as root by a cron job, with the pipe character '|' explicitly permitted. This results in root-level Remote Code Execution. The issue stems from a comparison operator being used instead of an assignment operator, effectively bypassing validation. The panel.adminmail setting is used in a shell command executed by a cron job, allowing for command injection.

Recommendations Versions prior to 2.3.4 should be updated to version 2.3.4.