CWE-482

Comparing instead of Assigning

The code uses an operator for comparison when the intention was to perform an assignment.

CVE-2026-26279 (GCVE-0-2026-26279)

Vulnerability from cvelistv5 – Published: 2026-03-03 22:31 – Updated: 2026-03-04 16:13
VLAI?
Title
Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection
Summary
Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4.
Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-482 - Comparing instead of Assigning
Assigner
References
Impacted products
Vendor Product Version
froxlor Froxlor Affected: < 2.3.4
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-26279",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-04T16:12:37.881548Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-04T16:13:18.823Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Froxlor",
          "vendor": "froxlor",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.3.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor\u0027s input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution. This vulnerability is fixed in 2.3.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-482",
              "description": "CWE-482: Comparing instead of Assigning",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-03T22:31:58.516Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-33mp-8p67-xj7c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/froxlor/Froxlor/security/advisories/GHSA-33mp-8p67-xj7c"
        },
        {
          "name": "https://github.com/froxlor/froxlor/commit/22249677107f8f39f8d4a238605641e87dab4343",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/froxlor/froxlor/commit/22249677107f8f39f8d4a238605641e87dab4343"
        },
        {
          "name": "https://github.com/froxlor/froxlor/releases/tag/2.3.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.4"
        }
      ],
      "source": {
        "advisory": "GHSA-33mp-8p67-xj7c",
        "discovery": "UNKNOWN"
      },
      "title": "Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-26279",
    "datePublished": "2026-03-03T22:31:58.516Z",
    "dateReserved": "2026-02-12T17:10:53.414Z",
    "dateUpdated": "2026-03-04T16:13:18.823Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}
Mitigation

Phase: Testing

Description:

  • Many IDEs and static analysis products will detect this problem.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page