CVE-2026-41231

Published: Apr 23, 2026

Modified: Apr 23, 2026

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix.

Vendor	Product	Versions
froxlor	froxlor	affected `< 2.3.6`

Weaknesses (CWE)

CWE-59

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r

x_refsource_CONFIRM

https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d

x_refsource_MISC

https://github.com/froxlor/froxlor/releases/tag/2.3.6

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-41231

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References