Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-w7xv-k4rd-v7bq
Vulnerability ID VCID-w7xv-k4rd-v7bq
Aliases CVE-2026-41231
GHSA-75h4-c557-j89r
Summary Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-59 Improper Link Resolution Before File Access ('Link Following')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00087 https://api.first.org/data/v1/epss?cve=CVE-2026-41231
epss 0.00087 https://api.first.org/data/v1/epss?cve=CVE-2026-41231
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-75h4-c557-j89r
cvssv3.1 7.5 https://github.com/froxlor/froxlor
generic_textual HIGH https://github.com/froxlor/froxlor
cvssv3.1 7.5 https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d
generic_textual HIGH https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d
ssvc Track* https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d
cvssv3.1 7.5 https://github.com/froxlor/froxlor/releases/tag/2.3.6
generic_textual HIGH https://github.com/froxlor/froxlor/releases/tag/2.3.6
ssvc Track* https://github.com/froxlor/froxlor/releases/tag/2.3.6
cvssv3.1 7.5 https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r
cvssv3.1_qr HIGH https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r
generic_textual HIGH https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r
ssvc Track* https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2026-41231
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-41231
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-41231
https://github.com/froxlor/froxlor
https://nvd.nist.gov/vuln/detail/CVE-2026-41231
2.3.6 https://github.com/froxlor/froxlor/releases/tag/2.3.6
2987b0e8806ef12b532410050ad76d13d673a87d https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d
GHSA-75h4-c557-j89r https://github.com/advisories/GHSA-75h4-c557-j89r
GHSA-75h4-c557-j89r https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/froxlor/froxlor
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-23T14:48:21Z/ Found at https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/froxlor/froxlor/releases/tag/2.3.6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-23T14:48:21Z/ Found at https://github.com/froxlor/froxlor/releases/tag/2.3.6
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-23T14:48:21Z/ Found at https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-41231
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.24972
EPSS Score 0.00087
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:51:11.336415+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/41xxx/CVE-2026-41231.json 38.6.0