{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41231", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T03:47:03.134Z", "datePublished": "2026-04-23T03:52:42.587Z", "dateUpdated": "2026-04-23T16:23:03.549Z"}, "containers": {"cna": {"title": "Froxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownership Takeover via Cron", "problemTypes": [{"descriptions": [{"cweId": "CWE-59", "lang": "en", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r"}, {"name": "https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d", "tags": ["x_refsource_MISC"], "url": "https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d"}, {"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"}], "affected": [{"vendor": "froxlor", "product": "froxlor", "versions": [{"version": "< 2.3.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T03:52:42.587Z"}, "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix."}], "source": {"advisory": "GHSA-75h4-c557-j89r", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T14:48:21.532406Z", "id": "CVE-2026-41231", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T16:23:03.549Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41231", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T14:48:21.532406Z"}}}], "references": [{"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:48:34.964Z"}}], "cna": {"title": "Froxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownership Takeover via Cron", "source": {"advisory": "GHSA-75h4-c557-j89r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "froxlor", "product": "froxlor", "versions": [{"status": "affected", "version": "< 2.3.6"}]}], "references": [{"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r", "name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d", "name": "https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6", "name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59: Improper Link Resolution Before File Access ('Link Following')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T03:52:42.587Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41231", "state": "PUBLISHED", "dateUpdated": "2026-04-23T16:23:03.549Z", "dateReserved": "2026-04-18T03:47:03.134Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-23T03:52:42.587Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A9C896A-1305-4134-850E-4B44962A6C0A", "versionEndExcluding": "2.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix."}], "id": "CVE-2026-41231", "lastModified": "2026-04-27T17:01:42.803", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-23T04:16:19.947", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/froxlor/froxlor/commit/2987b0e8806ef12b532410050ad76d13d673a87d"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-75h4-c557-j89r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.6)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "froxlor", "vendor": "froxlor"}], "analysis": {"en": {"generated_at": "2026-04-28T07:39:31.020706+00:00", "value": {"mitigation_remediation": ["Upgrade Froxlor to version 2.3.6 or later, which restores symlink validation in DataDump.add.", "If upgrading immediately is not feasible, reconfigure the ExportCron task so it runs under a non\u2011root user or remove the cron job altogether to prevent the chown from executing with administrative privileges.", "Restrict the export directory location to a non\u2011world\u2011writable path, disable creation of symlinks in that directory, and monitor for unexpected chown actions to detect any exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Directory Ownership Takeover"}, "threat_synthesis": {"affected_systems": "The flaw affects installations of the Froxlor open\u2011source server administration software published before version 2.3.6. Users who have configured the built\u2011in ExportCron task to run as the root account are at risk, as the task will invoke DataDump.add on customer\u2011supplied exports and subsequently unwrap any symlink target with root privileges. The vulnerable code path is part of the DataDump module inside Froxlor. Applying the 2.3.6 release, which adds the missing fixed homedir check, eliminates the flaw. For older releases, the problem remains until patched.\n\n", "description_and_impact": "Froxlor\u2019s DataDump.add() method previously built the export destination path from user input without applying the fixed homedir validation, allowing a symlink to point to any system directory. When the ExportCron task, which runs under the root account, expands that path it resolves the symlink and executes a recursive chown. An attacker who can invoke the export function\u2014such as a local or remote user with access to the Froxlor web interface\u2014can therefore cause root to change the ownership of any directory they can reference with a symlink, effectively taking administrative control over arbitrary parts of the file system. The flaw resides in the CWE\u201159 category of Relative Path Traversal/Symbolic Link Vulnerability.\n\nThe vulnerability is exploitable only when ExportCron runs with root privileges and the attacker can provide input to DataDump.add. The exploit is straightforward: craft a symlink from the export path to a target directory and trigger the cron job. Once the chown runs, the attacker gains ownership of the target, enabling further compromise such as altering configurations, installing malware, or deleting files.\n\nCVSS score 7.5 classifies the issue as high severity, and the EPSS score of < 1% indicates a low but existing probability of real\u2011world exploitation. The flaw is not listed in CISA\u2019s KEV catalog, but the ability to hijack ownership of arbitrary directories represents a significant privilege escalation that can compromise system integrity and availability. Affected installations are those running Froxlor older than 2.3.6 where ExportCron is configured to execute under the root user. Version 2.3.6 introduces the missing symlink validation and should be installed as soon as possible to mitigate the risk.", "risk_and_exploitability": "The CVSS score of 7.5 indicates that the vulnerability offers significant impact, particularly when exploited to alter file ownership. EPSS < 1% suggests exploitation is unlikely but not impossible, especially in environments where customers can submit data to exporting functions. Attackers would first need to create or control a symlink that points to a target directory they wish to own; then they would trigger the cron job by invoking DataDump.add, which path\u2011resolves the symlink under root and runs chown\u2011R. Because the flaw is tied to a root\u2011executed cron job, the attack vector requires either legitimate user access with export privileges or a system misconfiguration that allows arbitrary code injection into the cron context. Even though the vulnerability is not currently listed in CISA KEV, the ability to seize ownership over arbitrary directories presents a serious privilege escalation and could break the isolation guarantees of the server. In sum, the risk is high in environments that run the export cron under root and expose export functions to customer input."}}}}, "created": "2026-04-28T05:15:22.723416+00:00", "updated": "2026-04-28T07:45:26.036386+00:00", "vendors": ["froxlor", "froxlor$PRODUCT$froxlor"]}