{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26279", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-12T17:10:53.414Z", "datePublished": "2026-03-03T22:31:58.516Z", "dateUpdated": "2026-03-04T16:13:18.823Z"}, "containers": {"cna": {"title": "Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-482", "lang": "en", "description": "CWE-482: Comparing instead of Assigning", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-33mp-8p67-xj7c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-33mp-8p67-xj7c"}, {"name": "https://github.com/froxlor/froxlor/commit/22249677107f8f39f8d4a238605641e87dab4343", "tags": ["x_refsource_MISC"], "url": "https://github.com/froxlor/froxlor/commit/22249677107f8f39f8d4a238605641e87dab4343"}, {"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.4"}], "affected": [{"vendor": "froxlor", "product": "Froxlor", "versions": [{"version": "< 2.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-03T22:31:58.516Z"}, "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4."}], "source": {"advisory": "GHSA-33mp-8p67-xj7c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T16:12:37.881548Z", "id": "CVE-2026-26279", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:13:18.823Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26279", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-04T16:12:37.881548Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:12:41.946Z"}}], "cna": {"title": "Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection", "source": {"advisory": "GHSA-33mp-8p67-xj7c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "froxlor", "product": "Froxlor", "versions": [{"status": "affected", "version": "< 2.3.4"}]}], "references": [{"url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-33mp-8p67-xj7c", "name": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-33mp-8p67-xj7c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/froxlor/froxlor/commit/22249677107f8f39f8d4a238605641e87dab4343", "name": "https://github.com/froxlor/froxlor/commit/22249677107f8f39f8d4a238605641e87dab4343", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.4", "name": "https://github.com/froxlor/froxlor/releases/tag/2.3.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-482", "description": "CWE-482: Comparing instead of Assigning"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-03T22:31:58.516Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26279", "state": "PUBLISHED", "dateUpdated": "2026-03-04T16:13:18.823Z", "dateReserved": "2026-02-12T17:10:53.414Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-03T22:31:58.516Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4."}], "id": "CVE-2026-26279", "lastModified": "2026-03-04T18:08:05.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-03T23:15:55.223", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-33mp-8p67-xj7c"}, {"source": "security-advisories@github.com", "url": "https://github.com/froxlor/froxlor/commit/22249677107f8f39f8d4a238605641e87dab4343"}, {"source": "security-advisories@github.com", "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-482"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}