VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Jun 8, 2026· Updated Jun 8, 2026

CVE-2026-29170

CVE-2026-29170

Description

Apache HTTP Server 2.4.67 and earlier is vulnerable to XSS in mod_proxy_ftp's HTML directory listing, allowing script execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache HTTP Server 2.4.67 and earlier is vulnerable to XSS in mod_proxy_ftp's HTML directory listing, allowing script execution.

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the HTML directory list generation functionality of mod_proxy_ftp within Apache HTTP Server versions 2.4.0 through 2.4.67. This vulnerability can be triggered when the server is configured to act as either a forward or reverse proxy and is listing the contents of an FTP directory [1].

Exploitation

An attacker can exploit this vulnerability by tricking a user into visiting a specially crafted URL that causes the Apache HTTP Server to proxy an FTP directory listing. The vulnerability requires the mod_proxy_ftp module to be enabled and configured for proxying FTP directories. No specific authentication or user interaction beyond visiting a malicious link is mentioned in the available references [1].

Impact

Successful exploitation of this cross-site scripting vulnerability allows an attacker to execute arbitrary JavaScript code within the context of the victim's browser. This could lead to session hijacking, credential theft, or redirection to malicious websites, depending on the privileges of the user viewing the compromised directory listing [1].

Mitigation

Apache HTTP Server version 2.4.68, released on 2026-06-08, addresses this vulnerability. Users are strongly recommended to upgrade to version 2.4.68 or later. No workarounds are specified in the available references [1].

References
  1. Apache HTTP Server 2.4 vulnerabilities

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
35c6e405390e

cookie reqest header counting (#324)

https://github.com/icing/mod_h2Stefan EissingMay 27, 2026via body-scan
commit
1 file changed · +4 0
  • mod_http2/h2_util.c+4 0 modified
    @@ -1708,6 +1708,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,
              && !ap_cstr_casecmpn("cookie", (const char *)nv->name, nv->namelen)) {
         existing = apr_table_get(headers, "cookie");
         if (existing) {
+            if (!nv->valuelen)
+                return APR_SUCCESS;
             /* Cookie header come separately in HTTP/2, but need
              * to be merged by "; " (instead of default ", ")
              */
@@ -1719,6 +1721,8 @@ static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,
             apr_table_setn(headers, "Cookie",
                            apr_psprintf(pool, "%s; %.*s", existing,
                                         (int)nv->valuelen, nv->value));
+            /* Treat the merge as an "add" to not escape LimitRequestFields */
+            *pwas_added = 1;
             return APR_SUCCESS;
         }
     }

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

1