OS Command Injection in Froxlor - CVE-2026-26279
Published: April 27, 2026
Vulnerability identifier: #VU128193
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-26279
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: froxlor
Affected software:
Froxlor
Froxlor
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code as root.
The vulnerability exists due to improper neutralization of special elements used in an os command in AcmeSh.php when concatenating the panel.adminmail setting into a shell command executed by the cron job. A remote privileged user can store a specially crafted panel.adminmail value containing shell metacharacters to execute arbitrary code as root.
Exploitation requires chaining with an input validation bypass in email-type settings and occurs when the acme.sh installation path is triggered by the cron job.
How to mitigate CVE-2026-26279
Install security update from vendor's website.