PatchSiren cyber security CVE debrief
CVE-2026-41235 froxlor CVE debrief
Froxlor server administration software version 2.3.6 has a vulnerability allowing authenticated customers with shell delegation enabled to submit an arbitrary shell, potentially leading to real host shell access. The issue is fixed in version 2.3.7.
- Vendor
- froxlor
- Product
- Unknown
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-08
Who should care
Administrators using Froxlor server administration software version 2.3.6, especially those with shell delegation enabled for customers.
Technical summary
In Froxlor server administration software version 2.3.6, administrators can configure `system.available_shells` as the approved shell list for FTP users. However, the server-side FTP account handlers do not enforce this whitelist when processing add or edit requests. This allows an authenticated customer with shell delegation enabled to submit an arbitrary shell, such as `/bin/bash`, even if the panel UI only offers more restricted choices. In deployments using the default `nssextrausers` integration, the attacker-controlled shell is then propagated into the system account database, leading to real host shell access.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Froxlor version 2.3.7 or later.
- Review and restrict shell delegation for customers.
- Monitor FTP account creation and modification requests.
Evidence notes
CVE-2026-41235 has a CVSS score of 8.6 and is considered HIGH severity.
Official resources
CVE-2026-41235 was published on 2026-06-04T19:16:29.153Z and modified on 2026-06-08T19:16:44.070Z.