CVE-2026-41236 in Froxlorinfo

Zusammenfassung

von MITRE • 04.06.2026

Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled home directory without verifying that the target path is not a symbolic link. If an attacker controls a shell-enabled customer account and can modify files inside the assigned home directory, the attacker can replace `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys`. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker-supplied key into root's authorized key file, resulting in root SSH access. Version 2.3.7 contains a patch.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

GitHub M

Reservieren

18.04.2026

Veröffentlichung

04.06.2026

Moderieren

akzeptiert

Eintrag

VDB-368402

CPE

bereit

CWE

CWE-59 (bestätigt)

CVSS

8.8 (CNA)

EPSS

0.00000

KEV

nein

Aktivitäten

low

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-41236
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-41236
CVE Details	https://www.cvedetails.com/cve/CVE-2026-41236/

◂ Zurück Übersicht Weiter ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!