CVE-2026-41235
HighCVSS 8.6Exploitation Probability (EPSS)
Low risk28th percentile - higher than 28% of all known CVEs
Summary
Froxlor is server administration software that in version 2.3.6 allows administrators to configure an approved shell list for FTP users. However, the server-side FTP account handlers do not enforce this whitelist when processing add or edit requests, allowing authenticated users to assign arbitrary shells.
Risk Assessment
An attacker can gain access to the system shell, leading to serious security risks for the system. If the default `nssextrausers` integration is used, the malicious shell can be propagated into the system account database.
Recommendation
It is recommended to upgrade to version 2.3.7, which fixes this vulnerability. Additionally, it is advisable to review the configuration of available shells for FTP users.
Original NVD description (English source)
Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer with shell delegation enabled can submit an arbitrary shell such as `/bin/bash` even when the panel UI only offers more restricted choices. In deployments that use the default `nssextrausers` integration, the attacker-controlled shell is then propagated into the system account database, leading to real host shell access. Version 2.3.7 fixes the issue.

