CVE-2026-41231

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix.

Vulnerability Details

Published Date

April 23, 2026

Last Modified

April 27, 2026

CWE ID

CWE-59

Source

NVD

Vendor

froxlor

Product

froxlor

External References

https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d
https://github.com/froxlor/froxlor/releases/tag/2.3.6
https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r

CVE-2026-41231

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment