CVE-2026-41231
HIGHFroxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownership Takeover via Cron
Title source: cnaDescription
Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r
X_Refsource_Misc x_refsource_misc
https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d
X_Refsource_Misc x_refsource_misc
https://github.com/froxlor/froxlor/releases/tag/2.3.6
Scores
CVSS v3
7.5
EPSS
0.0041
EPSS Percentile
32.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-59
Status
published
Products (2)
froxlor/froxlor
< 2.3.6 (2 CPE variants)
froxlor/froxlor
0 - 2.3.6Packagist
Published
Apr 23, 2026
Tracked Since
Apr 23, 2026