CVE-2026-41236 affects Froxlor 2.3.6. The vulnerability is a symlink-following flaw in the privileged SSH key synchronization path used for customer FTP users. Froxlor's provisioning logic appends public keys to ~/.ssh/authorized_keys within a customer-controlled home directory, but does not verify that the destination path is not a symbolic link. An attacker who controls a shell-enabled customer account and can modify files in the assigned home directory can replace ~/.ssh/authorized_keys with a symlink to /root/.ssh/authorized_keys. When Froxlor's root-owned cron task later performs SSH key synchronization, it follows the symlink and appends the attacker-controlled public key to root's authorized_keys, enabling unauthorized root SSH access.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
/root/.ssh/authorized_keys, they gain persistent privileged remote access as root. This results in complete confidentiality, integrity, and availability impact on the affected host, including unrestricted command execution, data access and modification, service manipulation, and the ability to establish further persistence or pivoting from the compromised system.If you can’t patch tonight, do this now.
.ssh paths used by privileged automation. Monitor for symlinks in customer home directories pointing to privileged files, and audit /root/.ssh/authorized_keys for unexpected keys. Running the synchronization task with reduced privileges or adding filesystem and ownership checks before writes would also reduce exposure until patched.Patch, then assume compromise.
authorized_keys files in customer-controlled paths. Any affected systems should also be reviewed for unauthorized entries in /root/.ssh/authorized_keys and other privileged accounts' SSH authorization files, and any attacker-added keys should be removed.No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.