CVE-2026-41232

Source
https://cve.org/CVERecord?id=CVE-2026-41232
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41232.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41232
Aliases
Published
2026-04-23T03:54:55.765Z
Modified
2026-07-08T08:13:12.648542370Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N CVSS Calculator
Summary
Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index that Allows Cross-Customer Email Spoofing
Details

Froxlor is open source server administration software. Prior to version 2.3.6, in EmailSender::add(), the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to validateLocalDomainOwnership(). This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's sender_login_maps then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41232.json",
    "cwe_ids": [
        "CWE-863"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/froxlor/froxlor

Affected ranges

Type
GIT
Repo
https://github.com/froxlor/froxlor
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.3.6"
        }
    ]
}

Affected versions

0.*
0.10.0
0.10.0-rc1
0.10.0-rc2
0.10.1
0.10.10
0.10.11
0.10.12
0.10.13
0.10.14
0.10.15
0.10.16
0.10.17
0.10.18
0.10.19
0.10.2
0.10.20
0.10.21
0.10.22
0.10.23
0.10.23.1
0.10.24
0.10.25
0.10.26
0.10.27
0.10.28
0.10.29
0.10.29.1
0.10.3
0.10.30
0.10.31
0.10.32
0.10.33
0.10.4
0.10.5
0.10.6
0.10.7
0.10.8
0.10.9
0.9.18
0.9.18.1
0.9.19
0.9.20
0.9.20.1
0.9.21
0.9.22
0.9.22-rc1
0.9.23
0.9.23-rc1
0.9.24
0.9.24-rc1
0.9.25
0.9.25-rc1
0.9.26
0.9.26-rc1
0.9.27
0.9.27-rc1
0.9.28
0.9.28-rc1
0.9.28.1
0.9.29
0.9.29-rc1
0.9.30
0.9.30-rc1
0.9.31-rc1
0.9.32
0.9.32-rc1
0.9.32-rc2
0.9.33-rc1
0.9.33-rc2
0.9.33-rc3
0.9.34.1
0.9.34.2
0.9.35
0.9.35-rc1
0.9.35.1
0.9.36
0.9.37
0.9.37-rc1
0.9.38
0.9.38-rc1
0.9.38-rc2
0.9.38.1
0.9.38.2
0.9.38.3
0.9.38.4
0.9.38.5
0.9.38.6
0.9.38.7
0.9.38.8
0.9.39
0.9.39.1
0.9.39.2
0.9.39.3
0.9.39.4
0.9.39.5
2.*
2.0.1
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.0.19
2.0.2
2.0.20
2.0.21
2.0.22
2.0.23
2.0.24
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.1.0-beta1
2.1.0-beta2
2.1.0-rc1
2.1.0-rc2
2.1.0-rc3
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0-rc1
2.3.0
2.3.0-rc1
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41232.json"