pkg:Packagist/froxlor/froxlor

All known vulnerabilities

• CRITICAL9.9CVE-2026-41228Froxlor has Local File Inclusion via path traversal in API `def_language` parameter leads to Remote Code Execution
  from 0, < 2.3.6
• CRITICAL9.9CVE-2023-6069Froxlor Improper Input Validation vulnerability
  from 0, < 2.1.0-beta1
• CRITICAL9.8Froxlor vulnerable to Improper Restriction of Excessive Authentication Attempts
  from 0, < 2.0.20
• CRITICAL9.8Froxlor is vulnerable to authentication bypass
  from 0, < 2.0.13
• CRITICAL9.8Froxlor SQL injection vulnerability
  from 0, < 0.10.30
• CRITICAL9.8Froxlor guessable password reset token
  from 0, < 0.9.35
• CRITICAL9.6Blind XSS Leading to Froxlor Application Compromise
  from 0, < 2.1.9
• CRITICAL9.1Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)
  from 0, < 2.3.6
• CRITICAL9.1Froxlor has Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection
  from 0, < 2.3.4
• CRITICAL9.1Froxlor vulnerable to Improper Encoding or Escaping of Output
  from 0, < 2.0.21
• CRITICAL9.1froxlor/froxlor vulnerable to unrestricted upload of file with dangerous type
  from 0, < 2.0.14
• HIGH8.8Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path
  >= 2.3.6, < 2.3.7
• HIGH8.8Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement
  >= 2.3.6, < 2.3.7
• HIGH8.8Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API
  from 0, < 2.3.5
• HIGH8.8Froxlor Cross-Site Request Forgery vulnerability
  from 0, < 2.0.11
• HIGH8.8Code Injection in froxlor/froxlor
  from 0, < 2.0.11
• HIGH8.8froxlor is vulnerable to privilege escalation from customer to root via directory-options
  from 0, < 2.0.10
• HIGH8.8Froxlor vulnerable to Command Injection
  from 0, < 2.0.8
• HIGH8.8Froxlor arbitrary code execution via the database configuration options
  from 0, < 0.10.14
• HIGH8.6Froxlor has an incomplete fix for CVE-2026-30932
  from 0, < 2.3.7
• HIGH8.5Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()
  from 0, < 2.3.6
• HIGH8.1Froxlor's API Authentication bypasses 2FA Authentication
  from 0, < 2.3.7
• HIGH7.6Froxlor: BIND Zone File Injection via TXT Record Content
  from 0, < 2.3.7
• HIGH7.5Froxlor has Incomplete Symlink Validation in DataDump.add() Allows Arbitrary Directory Ownership Takeover via Cron
  from 0, < 2.3.6
• HIGH7.5Froxlor username/surname AND company field Bypass
  from 0, < 2.1.2
• HIGH7.5Froxlor contains Weak Password Requirements
  from 0, < 2.0.10
• HIGH7.5Froxlor Incorrect Access Control
  from 0, < 0.9.40
• HIGH7.2Froxlor vulnerable to Path Traversal
  from 0, < 2.0.20
• HIGH7.2Froxlor PHP Object Injection vulnerability
  from 0, < 0.9.40
• MEDIUM6.5Froxlor vulnerable to Allocation of Resources Without Limits or Throttling
  from 0, < 2.0.16
• MEDIUM6.5Froxlor vulnerable to Cross-Site Request Forgery (CSRF)
  from 0, < 0.10.38
• MEDIUM6.1Froxlor vulnerable to code injection
  from 0, < 0.10.38.2
• MEDIUM6.1Froxlor Information Disclosure
  from 0, < 0.10.14
• MEDIUM6.1HTML Injection in Froxlor
  from 0, <= 0.10.22
• MEDIUM5.8Froxlor allows Multiple Accounts to Share the Same Email Address Leading to Potential Privilege Escalation or Account Takeover
  from 0, < 2.2.6
• MEDIUM5.5Froxlor has an HTML Injection Vulnerability
  from 0, < 2.2.6
• MEDIUM5.5Froxlor is vulnerable to path traversal
  from 0, < 2.0.0
• MEDIUM5.5Froxlor Exposure of Sensitive Information to an Unauthorized Actor
  from 0, <= 0.10.15
• MEDIUM5.4Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()
  from 0, < 2.3.6
• MEDIUM5.4Froxlor Session Fixation vulnerability
  from 0, < 2.1.0
• MEDIUM5.4Froxlor vulnerable to Argument Injection
  >= 2.0.0-beta0, < 2.0.0-beta1
• MEDIUM5.4Foxlor cross-site scripting (XSS) vulnerability
• MEDIUM5.3Froxlor contains Unchecked Error Condition
  from 0, < 2.0.10
• MEDIUM5.0Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing
  from 0, < 2.3.6
• MEDIUM4.9Froxlor contains Business Logic Errors
  from 0, < 2.0.10
• MEDIUM4.8Cross-site Scripting (XSS) in froxlor/froxlor
  from 0, < 2.0.22
• MEDIUM4.8Cross-site Scripting (XSS) in froxlor/froxlor
  from 0, < 2.1.0-dev1
• MEDIUM4.8Froxlor contains Static Code Injection
  from 0, < 2.0.10
• MEDIUM4.6Froxlor vulnerable to Code Injection
  from 0, < 0.10.39
• MEDIUM4.3Froxlor Improper Authorization vulnerability
  >= 2.0.0-beta0, < 2.0.0-beta1
• MEDIUM4.3Froxlor vulnerable to Cross-Site Request Forgery
  >= 2.0.0-beta0, < 2.0.0-beta1
• LOW3.8Froxlor vulnerable to business logic errors
  from 0, < 2.0.22