ISPConfig 3.2.11p1 Released

This is a security patch release, it fixes a PHP Code Injection Vulnerability in the ISPConfig language file editor.
The vulnerability requires that the attacker is correctly logged in as the ‘admin’ user (the account with superadmin privilege) in ISPConfig, so an attacker must know the administrator password or get access to an active admin account session. Not affected are logins from Clients, Resellers, or Email users and also not logins from additionally created admin users.
Also not affected are systems where the language editor is disabled. The language editor can be disabled by setting:


in the file /usr/local/ispconfig/security/security_settings.ini.
Thank you to Egidio Romano from Karma(In)Security for reporting this issue.

You can see the full changelog here:

Known issues

Please take a look at the bug tracker:[]=Bug

You can report bugs at

Supported Linux Distributions

– Debian 9 – 12 (recommended) and Debian testing
– Ubuntu 18.04 — LTS – 22.04 LTS (recommended)
– CentOS 7 – 8

Download ISPConfig 3.2.11p1

The installation instructions for ISPConfig can be found here:

How can I update to the ISPConfig 3.2.11p1?

You can update to ISPConfig 3.2.11p1 by using the command.

Manual update instructions

In case you need to run the update manually without using, use the manual download procedure below:

Run the following commands as root user on your ISPConfig server:

cd /tmp
tar xvfz ISPConfig-3.2.11p1.tar.gz
cd ispconfig3_install/install
php -q update.php