CVE-2026-41235 in Froxlorinformación

Resumen

por MITRE • 2026-06-04

Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer with shell delegation enabled can submit an arbitrary shell such as `/bin/bash` even when the panel UI only offers more restricted choices. In deployments that use the default `nssextrausers` integration, the attacker-controlled shell is then propagated into the system account database, leading to real host shell access. Version 2.3.7 fixes the issue.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsable

GitHub M

Reservar

2026-04-18

Divulgación

2026-06-04

Moderación

aceptado

Artículo

VDB-368401

CPE

listo

CWE

CWE-863 (confirmado)

CVSS

6.3 (VulDB)

EPSS

0.00000

KEV

Actividades

bajo

Fuentes

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-41235
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-41235
CVE Details	https://www.cvedetails.com/cve/CVE-2026-41235/

◂ Anterior Visión De Conjunto Próximo ▸

Interested in the pricing of exploits?

See the underground prices here!