Link following in Froxlor - CVE-2026-41231
Published: April 27, 2026
Vulnerability identifier: #VU128197
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-41231
CWE-ID: CWE-59
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: froxlor
Affected software:
Froxlor
Froxlor
Detailed vulnerability description
The vulnerability allows a remote user to take ownership of arbitrary directories and files, disclose sensitive information, modify data, and cause a denial of service.
The vulnerability exists due to improper link resolution before file access in DataDump.add() and ExportCron when processing a user-supplied export path that resolves through a symlink. A remote user can schedule a crafted data export to cause the cron job to recursively change ownership of the symlink target.
Exploitation requires the export feature to be enabled and is triggered when the export cron runs as root.
How to mitigate CVE-2026-41231
Install security update from vendor's website.