vulnerability context

CVE-2026-29170

CVSS 6.1 MEDIUMEPSS 39%CWE-79

A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration. Users are recommended to upgrade to version 2.4.68, which fixes this issue.

Published 2026-06-08 · last modified 2026-06-17

details

CISA KEV status: Not in catalog
CVSS v3: 6.1 / MEDIUM
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS: 39% percentile (score 0.0050)
CWE: CWE-79

View on NVD → · cve.org

source mentions 2

CVE-2026-29170 Apache HTTP Server: mod_proxy_ftp XSSMSRC Update Guide · 13d ago
CVE-2026-29170: Apache HTTP Server: mod_proxy_ftp XSSoss-security · 16d ago

source consensus

MSRC Update Guide1×
oss-security1×

Want the 3-bullet summary of CVE-2026-29170, plus webhook alerts when KEV is updated? Pro is $10/mo.

Open in reader See Pro →