CVE-2026-41228 | Froxlor up to 2.3.5 API Endpoint Language::loadLanguage def_language filename control (GHSA-w59f-67xm-rxx7)

A vulnerability was found in Froxlor up to 2.3.5. It has been declared as critical. This affects the function Language::loadLanguage of the component API Endpoint. The manipulation of the argument def_language results in improper control of filename for include/require statement in php program (‘php remote file inclusion’).

This vulnerability is cataloged as CVE-2026-41228. The attack may be launched remotely. There is no exploit available.

It is recommended to upgrade the affected component.VulDB Recent EntriesRead More