CVE-2026-41236

8.8 HIGH

Froxlor is open source server administration software

Published: 2026-06-04 · Last updated: 2026-06-08

Severity and scoring

CVSS: 8.8 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-59

Description

Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled home directory without verifying that the target path is not a symbolic link. If an attacker controls a shell-enabled customer account and can modify files inside the assigned home directory, the attacker can replace `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys`. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker-supplied key into root's authorized key file, resulting in root SSH access. Version 2.3.7 contains a patch.

Source: NVD

References

Related CVEs

Same CWE

CVE-2025-46293 — This issue was addressed with improved handling of symlinks (5.5 MEDIUM)
CVE-2026-45384 — bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files (6.1 MEDIUM)
CVE-2026-53476 — A flaw was found in assisted-migration-agent (9.6 CRITICAL)
CVE-2026-11853 — Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution (6.5 MEDIUM)
CVE-2026-11837 — A local privilege escalation vulnerability was found in the ansible.posix authorized_key module (7.3 HIGH)