Description
A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration.

Users are recommended to upgrade to version 2.4.68, which fixes this issue.
Published: 2026-06-08
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache HTTP Server 2.4.67 and earlier contain a client‑side cross‑site scripting flaw in the mod_proxy_ftp module. When the module generates an HTML directory listing for FTP resources, directory or file names that are not properly sanitized are inserted into the page. This can allow an attacker to inject JavaScript that will run in the browsers of users who view the listing.

Affected Systems

The flaw affects installations of Apache HTTP Server version 2.4.67 or earlier that have mod_proxy_ftp enabled and use directory listing of FTP resources either as a forward or reverse proxy. Systems running newer releases are not vulnerable. The vendor is the Apache Software Foundation.

Risk and Exploitability

Accessing a proxy URL that triggers a directory listing can be performed over the network without local privileges. Because the exploit requires only that a client browser renders the generated page, the risk is that arbitrary script code could execute in the client context. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, indicating that no publicly disclosed exploit has been reported at this time. However, the presence of client‑side script execution remains a high‑impact concern for exposed directory listings.

Generated by OpenCVE AI on June 8, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache HTTP Server to version 2.4.68 or later
  • If upgrading cannot be done immediately, disable or remove the mod_proxy_ftp configuration from affected virtual hosts
  • Configure a content security policy or web application firewall to block the execution of unexpected scripts in directory listings

Generated by OpenCVE AI on June 8, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
References

Mon, 08 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache Software Foundation
Apache Software Foundation apache Http Server
Vendors & Products Apache Software Foundation
Apache Software Foundation apache Http Server

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
Title Apache HTTP Server: mod_proxy_ftp XSS
Weaknesses CWE-79
References

Subscriptions

Apache Software Foundation Apache Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-08T22:32:22.561Z

Reserved: 2026-03-04T12:16:21.060Z

Link: CVE-2026-29170

cve-icon Vulnrichment

Updated: 2026-06-08T22:32:22.561Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-08T16:16:38.093

Modified: 2026-06-09T01:41:00.563

Link: CVE-2026-29170

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T20:30:06Z

Weaknesses