SB20260427158 - OS Command Injection in Froxlor

Description

This security bulletin contains information about 1 security vulnerability.

1) OS Command Injection (CVE-ID: CVE-2026-26279)

The vulnerability allows a remote user to execute arbitrary code as root.

The vulnerability exists due to improper neutralization of special elements used in an os command in AcmeSh.php when concatenating the panel.adminmail setting into a shell command executed by the cron job. A remote privileged user can store a specially crafted panel.adminmail value containing shell metacharacters to execute arbitrary code as root.

Exploitation requires chaining with an input validation bypass in email-type settings and occurs when the acme.sh installation path is triggered by the cron job.

Remediation

Install update from vendor's website.

References

• https://github.com/froxlor/froxlor/security/advisories/GHSA-33mp-8p67-xj7c
• https://github.com/advisories/GHSA-33mp-8p67-xj7c