Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-nbu9-sey3-w7es
Vulnerability ID VCID-nbu9-sey3-w7es
Aliases CVE-2026-41232
GHSA-vmjj-qr7v-pxm6
Summary Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's `sender_login_maps` then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-863 Incorrect Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2026-41232
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2026-41232
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-vmjj-qr7v-pxm6
cvssv3.1 5.0 https://github.com/froxlor/froxlor
generic_textual MODERATE https://github.com/froxlor/froxlor
cvssv3.1 5 https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07a
cvssv3.1 5.0 https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07a
generic_textual MODERATE https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07a
ssvc Track https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07a
cvssv3.1 5 https://github.com/froxlor/froxlor/releases/tag/2.3.6
cvssv3.1 5.0 https://github.com/froxlor/froxlor/releases/tag/2.3.6
generic_textual MODERATE https://github.com/froxlor/froxlor/releases/tag/2.3.6
ssvc Track https://github.com/froxlor/froxlor/releases/tag/2.3.6
cvssv3.1 5 https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6
cvssv3.1 5.0 https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6
cvssv3.1_qr MODERATE https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6
generic_textual MODERATE https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6
ssvc Track https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6
cvssv3.1 5.0 https://nvd.nist.gov/vuln/detail/CVE-2026-41232
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-41232
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-41232
https://github.com/froxlor/froxlor
https://nvd.nist.gov/vuln/detail/CVE-2026-41232
2.3.6 https://github.com/froxlor/froxlor/releases/tag/2.3.6
77d04badf549d5f8429828f0fbc69bc37a35e07a https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07a
GHSA-vmjj-qr7v-pxm6 https://github.com/advisories/GHSA-vmjj-qr7v-pxm6
GHSA-vmjj-qr7v-pxm6 https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N Found at https://github.com/froxlor/froxlor
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N Found at https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07a
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N Found at https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07a
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T14:49:29Z/ Found at https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e07a
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N Found at https://github.com/froxlor/froxlor/releases/tag/2.3.6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N Found at https://github.com/froxlor/froxlor/releases/tag/2.3.6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T14:49:29Z/ Found at https://github.com/froxlor/froxlor/releases/tag/2.3.6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N Found at https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N Found at https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T14:49:29Z/ Found at https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-41232
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.12181
EPSS Score 0.00039
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:51:10.465791+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/41xxx/CVE-2026-41232.json 38.6.0