{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-14T08:44:52.853","vulnerabilities":[{"cve":{"id":"CVE-2026-26279","sourceIdentifier":"security-advisories@github.com","published":"2026-03-03T23:15:55.223","lastModified":"2026-03-05T21:19:02.577","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4."},{"lang":"es","value":"Froxlor es software de administración de servidor de código abierto. Antes de la versión 2.3.4, un error tipográfico en el código de validación de entrada de Froxlor (== en lugar de =) deshabilita completamente la verificación del formato de correo electrónico para todos los campos de configuración declarados como tipo de correo electrónico. Esto permite a un administrador autenticado almacenar cadenas arbitrarias en la configuración panel.adminmail. Este valor se concatena posteriormente en un comando de shell ejecutado como root por una tarea cron, donde el carácter de tubería | está explícitamente en la lista blanca. El resultado es una ejecución remota de código completa a nivel de root. Esta vulnerabilidad se corrige en la versión 2.3.4."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.3,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"},{"lang":"en","value":"CWE-482"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*","versionEndExcluding":"2.3.4","matchCriteriaId":"49CEB95F-CF4B-45DB-A6A7-B6CE5E1F9961"}]}]}],"references":[{"url":"https://github.com/froxlor/Froxlor/security/advisories/GHSA-33mp-8p67-xj7c","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]},{"url":"https://github.com/froxlor/froxlor/commit/22249677107f8f39f8d4a238605641e87dab4343","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/froxlor/froxlor/releases/tag/2.3.4","source":"security-advisories@github.com","tags":["Release Notes"]}]}}]}