Cyber Resilience

CVE-2026-41231

HighPublic PoC

Published: 23 April 2026

Published
23 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41231 is a high-severity Link Following (CWE-59) vulnerability in Froxlor Froxlor. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-41231 is a symlink following vulnerability (CWE-59) affecting Froxlor, an open-source server administration software, in versions prior to 2.3.6. The issue resides in the `DataDump.add()` function, which constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`. This bypasses symlink validation previously added to other customer-facing path operations, likely as a fix for CVE-2023-6069. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated customer with low privileges (PR:L) can exploit this by providing a malicious symlink in the export path. When the ExportCron job runs as root, it executes `chown -R` on the resolved symlink target, enabling the attacker to take ownership of arbitrary directories on the system. Exploitation requires high attack complexity (AC:H) but can be performed over the network without user interaction, potentially leading to high confidentiality, integrity, and availability impacts.

Froxlor version 2.3.6 addresses the issue with an updated fix, as detailed in the project's GitHub release notes, commit history, and security advisory (GHSA-75h4-c557-j89r). Security practitioners should upgrade to 2.3.6 or later and review configurations to ensure the ExportCron does not run with excessive privileges where possible.

EU & UK References

Vulnerability details

Froxlor is open source server administration software. Prior to version 2.3.6, `DataDump.add()` constructs the export destination path from user-supplied input without passing the `$fixed_homedir` parameter to `FileDir::makeCorrectDir()`, bypassing the symlink validation that was added to all other customer-facing path operations…

more

(likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes `chown -R` on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system. Version 2.3.6 contains an updated fix.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1222.002 Linux and Mac Permissions Defense Impairment
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.
Why these techniques?

Symlink following vuln in authenticated path input allows low-priv user to cause root cron job to chown arbitrary directories, directly enabling privilege escalation via vuln exploitation and Linux file/directory permission modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-30932Same product: Froxlor Froxlor
CVE-2026-41228Same product: Froxlor Froxlor
CVE-2026-26279Same product: Froxlor Froxlor
CVE-2025-29773Same product: Froxlor Froxlor
CVE-2026-41229Same product: Froxlor Froxlor
CVE-2026-41230Same product: Froxlor Froxlor
CVE-2025-60710Shared CWE-59
CVE-2026-42834Shared CWE-59
CVE-2025-21373Shared CWE-59
CVE-2026-2627Shared CWE-59

Affected Assets

froxlor
froxlor
≤ 2.3.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforcing least privilege prevents the ExportCron from running as root, blocking low-privilege customers from using symlinks to chown arbitrary system directories.

prevent

Timely flaw remediation by patching to Froxlor version 2.3.6 directly fixes the symlink bypass in DataDump.add() that skips fixed_homedir validation.

prevent

Validating user-supplied export path inputs prevents construction of malicious symlinks that bypass FileDir::makeCorrectDir() symlink checks.

References