CVE-2026-41235
Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement
Description
Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer with shell delegation enabled can submit an arbitrary shell such as `/bin/bash` even when the panel UI only offers more restricted choices. In deployments that use the default `nssextrausers` integration, the attacker-controlled shell is then propagated into the system account database, leading to real host shell access. Version 2.3.7 fixes the issue.
INFO
Published Date :
June 4, 2026, 5:50 p.m.
Last Modified :
June 4, 2026, 5:50 p.m.
Remotely Exploit :
No
Source :
GitHub_M
Affected Products
The following products are affected by CVE-2026-41235
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
Solution
- Update Froxlor to version 2.3.7 or later.
- Verify FTP user shell assignments are correctly enforced.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-41235 vulnerability anywhere in the article.