CVE-2026-41236
published 2026-06-04CVE-2026-41236: Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for…
PriorityP259high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.37%
28.5th percentile
Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled home directory without verifying that the target path is not a symbolic link. If an attacker controls a shell-enabled customer account and can modify files inside the assigned home directory, the attacker can replace `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys`. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker-supplied key into root's authorized key file, resulting in root SSH access. Version 2.3.7 contains a patch.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| froxlor | froxlor | — | — |
| froxlor | froxlor | >= 2.3.6 < 2.3.7 | 2.3.7 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Froxlor 2.3.6 link following (GHSA-mq5v-pxpm-8jw2)
vuldb·2026-06-05·CVSS 8.8
CVE-2026-41236 [HIGH] Froxlor 2.3.6 link following (GHSA-mq5v-pxpm-8jw2)
A vulnerability was found in Froxlor 2.3.6. It has been classified as critical. Affected by this vulnerability is an unknown functionality. This manipulation causes link following.
This vulnerability is handled as CVE-2026-41236. The attack can be initiated remotely. There is not any exploit available.
Upgrading the affected component is recommended.
GHSA
Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path
ghsa·2026-05-29
CVE-2026-41236 [HIGH] CWE-59 Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path
Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path
### Summary
Froxlor 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled home directory without verifying that the target path is not a symbolic link.
If an attacker controls a shell-enabled customer account and can modify files inside the assigned home directory, the attacker can replace `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys`. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker-supplied key into root's authorized key file, resulting in root SSH access.
### Details
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-04
Published