CVE-2026-41232

Name of the Vulnerable Software and Affected Versions Froxlor versions prior to 2.3.6

Description In the EmailSender::add() function, the domain ownership validation for full email sender aliases uses an incorrect array index when splitting the email address. This results in the local part of the address being passed to validateLocalDomainOwnership() instead of the domain. Consequently, the ownership check passes for non-existent domains, enabling any authenticated customer to add sender aliases for email addresses on domains owned by other customers. This allows the attacker to be authorized by Postfix's sender login maps to send emails as those addresses.

Recommendations Update to version 2.3.6.