Cross-Site Scripting Vulnerability in Apache HTTP Server Mod Proxy FTP
CVE-2026-29170

6.1MEDIUM

Key Information:

Vendor

Apache

Vendor
CVE Published:
8 June 2026

What is CVE-2026-29170?

A cross-site scripting (XSS) vulnerability is present in the HTML directory list generation of mod_proxy_ftp in Apache HTTP Server versions 2.4.67 and earlier. This flaw may allow an attacker to inject malicious scripts via FTP directory content listings when using either forward or reverse proxy configurations. Users should immediately update to Apache HTTP Server version 2.4.68 or later to mitigate this security risk.

Affected Version(s)

Apache HTTP Server 0 <= 2.4.67

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pavel Kohout, Aisle Research, Aisle.com
.