SQL injection in Froxlor - CVE-2026-54348
Published: June 29, 2026
Froxlor
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to SQL injection in the Admins.add, Admins.update, and IpsAndPorts.listing API workflow when processing a stored `ipaddress` value and later building a dynamic `IN` clause from it. A remote privileged user can store a crafted SQL payload through the `ipaddress` parameter and trigger it via `IpsAndPorts.listing` to disclose sensitive information.
The issue is second-order and requires an authenticated administrator API key with `change_serversettings = 1`.