Incorrect authorization in Froxlor - CVE-2026-41235
Published: June 29, 2026
Froxlor
Detailed vulnerability description
The vulnerability allows a remote user to gain host shell access.
The vulnerability exists due to improper access control in the FTP account handlers when processing add or edit requests for FTP shell assignment. A remote user can submit an arbitrary shell outside the configured whitelist to gain host shell access.
Exploitation requires an authenticated customer session, a valid CSRF token, customer shell delegation to be enabled for that customer, and deployment with the default nssextrausers integration so the chosen shell is propagated into the system account database.