CVE-2026-41229

Name of the Vulnerable Software and Affected Versions Froxlor versions prior to 2.3.6

Description The PhpHelper::parseArrayToString() function writes string values into single-quoted PHP string literals without escaping single quotes. An administrator with change serversettings permission can exploit this by adding or updating a MySQL server via the API. The privileged user parameter lacks input validation and is written unescaped into the lib/userdata.inc.php file. Because this file is required on every request via Database::getDB(), it allows the injection of arbitrary PHP code that executes as the web server user on every subsequent page load.

Recommendations Update to version 2.3.6.