Froxlor server administration software prior to version 2.3.6 contains a critical PHP code injection vulnerability. The PhpHelper::parseArrayToString() function fails to escape single quotes in string literals. When an admin with change_serversettings permission updates MySQL server settings via API, the privileged_user parameter is written unescaped into lib/userdata.inc.php. This allows arbitrary PHP code injection that executes on every page load as the web server user. The vulnerability affects the core userdata.inc.php file which is required on every request through Database::getDB().