Incorrect authorization in Froxlor - CVE-2026-41235

 

Incorrect authorization in Froxlor - CVE-2026-41235

Published: June 29, 2026


Vulnerability identifier: #VU135775
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-41235
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: froxlor
Affected software:
Froxlor

Detailed vulnerability description

The vulnerability allows a remote user to gain host shell access.

The vulnerability exists due to improper access control in the FTP account handlers when processing add or edit requests for FTP shell assignment. A remote user can submit an arbitrary shell outside the configured whitelist to gain host shell access.

Exploitation requires an authenticated customer session, a valid CSRF token, customer shell delegation to be enabled for that customer, and deployment with the default nssextrausers integration so the chosen shell is propagated into the system account database.


How to mitigate CVE-2026-41235

Install security update from vendor's website.

Sources