CVE-2026-41235 HIGH

CVE-2026-41235: Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement

Vendor Froxlor

Product froxlor

Weakness CWE-863 · Incorrect authorization

Published June 4, 2026

Last update June 8, 2026

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

What the vulnerability does

01Description

Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer with shell delegation enabled can submit an arbitrary shell such as `/bin/bash` even when the panel UI only offers more restricted choices. In deployments that use the default `nssextrausers` integration, the attacker-controlled shell is then propagated into the system account database, leading to real host shell access. Version 2.3.7 fixes the issue.

Key dates

02Disclosure timeline

June 4, 2026 CVE published

June 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41235 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

CVE-2026-41235: Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement

01Description

02Disclosure timeline

03References

04Related CVE