PT-2026-44907 · Froxlor · Froxlor

Larlarua

·

Published

2026-05-29

·

Updated

2026-06-08

·

CVE-2026-41236

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Froxlor version 2.3.6
Description A symlink-following flaw exists in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to ~/.ssh/authorized keys within a customer-controlled home directory without verifying if the target path is a symbolic link. An attacker with a shell-enabled customer account can replace ~/.ssh/authorized keys with a symlink pointing to /root/.ssh/authorized keys. When the privileged cron task executes the SshKeys::generateFiles() function and subsequently appends the key, the attacker-supplied key is added to the root user's authorized key file, granting the attacker root SSH access. This process involves the SshKeys.add API call and the makeCorrectFile() function, which fails to resolve or reject symlinks.
Recommendations Update to version 2.3.7.

Exploit

Fix

LPE

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-41236
GHSA-MQ5V-PXPM-8JW2

Affected Products

Froxlor