CVE-2026-41232

low-risk
Published 2026-04-23

Froxlor is open source server administration software. Prior to version 2.3.6, in `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's `sender_login_maps` then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue.

Do I need to act?

-
0.03% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.0/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Froxlor

References (4)

Patch https://github.com/froxlor/froxlor/commit/77d04badf549d5f8429828f0fbc69bc37a35e0...
Release Notes https://github.com/froxlor/froxlor/releases/tag/2.3.6
Exploit https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6
Exploit https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6
25
/ 100
low-risk
Severity 20/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal