VYPR
Get started
← All advisories
Medium severity5.0NVD Advisory· Published Apr 23, 2026· Updated Apr 27, 2026

CVE-2026-41232

CVE-2026-41232

Description

Froxlor is open source server administration software. Prior to version 2.3.6, in EmailSender::add(), the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to validateLocalDomainOwnership(). This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's sender_login_maps then authorizes the attacker to send emails as those addresses. Version 2.3.6 fixes the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
froxlor/froxlorPackagist
< 2.3.62.3.6

Affected products

1

Patches

1
77d04badf549

fix domain-ownership validation in EmailSender.add

https://github.com/froxlor/froxlorMichael KaufmannMar 29, 2026via ghsa
commit
1 file changed · +1 1
  • lib/Froxlor/Api/Commands/EmailSender.php+1 1 modified
    @@ -97,7 +97,7 @@ public function add()
 			if (!Validate::validateEmail($idna_convert->encode($allowed_sender))) {
 				Response::standardError('emailiswrong', $allowed_sender, true);
 			}
-			self::validateLocalDomainOwnership(explode("@", $allowed_sender)[0] ?? "");
+			self::validateLocalDomainOwnership(explode("@", $allowed_sender)[1] ?? "");
 		} else {
 			if (!Validate::validateDomain($idna_convert->encode(substr($allowed_sender, 1)))) {
 				Response::standardError('wildcardemailiswrong', substr($allowed_sender, 1), true);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.