216.73.216.6

CVE-2026-41236

· Published 04/06/2026 19:16 · Modified 05/06/2026 15:09

Labels: CVE-2026-41236 2026-06-04CVE-2026-41236CWE-59[email protected]

Essential information

Published
04/06/2026 19:16
Modified
05/06/2026 15:09
Author
Creator
CVSS
8.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled home directory without verifying that the target path is not a symbolic link. If an attacker controls a shell-enabled customer account and can modify files inside the assigned home directory, the attacker can replace `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys`. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker-supplied key into root's authorized key file, resulting in root SSH access. Version 2.3.7 contains a patch.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
froxlor / froxlor cpe:2.3:a:froxlor:froxlor:2.3.6:*:*:*:*:*:*:*
froxlor / froxlor cpe:2.3:a:froxlor:froxlor:2.3.7:*:*:*:*:*:*:*

References