CVE-2026-41228

Daily digests

An authenticated Froxlor customer (not just admins) can set their language preference to a path traversal payload. Froxlor then blindly passes that value into a PHP 'require' call on the next request, which lets the attacker execute arbitrary PHP code as the web server user. This requires a valid customer account and the ability to upload a file to a known path, but the exploitation itself is straightforward once those conditions are met. CVSS 9.9.

• Daily Digest · Apr 23, 2026

  Paperclip RCE is a perfect 10, patch or block now