CVE-2026-29170: Apache HTTP Server FTP Proxy XSS Vulnerability
Apache HTTP Server versions 2.4.67 and earlier contain a cross-site scripting (XSS) vulnerability in the mod_proxy_ftp module. When the server is configured to proxy FTP directory listings—whether forwarding traffic to an upstream FTP server or presenting one via reverse proxy—it fails to properly sanitize HTML generated for directory contents. An attacker can craft malicious FTP directory entries or filenames containing JavaScript code. When an administrator or user views the directory listing in a browser, the malicious script executes in their session, potentially allowing session hijacking, credential theft, or administrative actions.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-29170 is an improper output encoding vulnerability (CWE-79) in Apache HTTP Server's mod_proxy_ftp module. The vulnerability occurs in HTML directory list generation when FTP content is proxied. The module constructs HTML responses containing directory entries without adequately encoding special characters or removing script tags from filenames or directory metadata. Because the CVSS vector includes UI:R (user interaction required) and S:C (scope changed), exploitation requires a victim to visit a crafted FTP proxy URL, but successful exploitation affects the confidentiality and integrity of that user's session and potentially the wider application scope depending on proxy configuration. The vulnerability affects all versions up to and including 2.4.67.
Business impact
For organizations running Apache HTTP Server as an FTP proxy gateway—common in legacy infrastructure, managed file transfer scenarios, or hybrid cloud setups—this vulnerability creates a persistent XSS risk. An attacker positioned to influence FTP directory contents (via a compromised upstream FTP server, man-in-the-middle position, or malicious file upload) can compromise any administrator or end user who browses the FTP directory through the proxy. Session tokens, API keys, or CSRF tokens could be exfiltrated. In multi-tenant or shared proxy environments, the scope change (S:C) means an attacker could pivot beyond the FTP service itself. Remediation is straightforward but requires patching and testing before production rollout.
Affected systems
Apache HTTP Server versions 2.4.67 and earlier are vulnerable when mod_proxy_ftp is loaded and configured. This primarily affects organizations using Apache as an FTP-to-HTTP bridge, including those with forward proxy configurations pointing to FTP backends or reverse proxy setups exposing FTP listings. The vulnerability does not affect default Apache installations, which do not load mod_proxy_ftp unless explicitly enabled. Modern deployments using dedicated FTP servers or cloud-native file transfer solutions are at lower risk; those operating legacy FTP proxies should prioritize assessment.
Exploitability
Exploitation requires user interaction (a victim visiting the proxied FTP directory in a browser) and network access to the proxy service. There is no CVSS evidence of remote code execution or server-side execution; the attack is confined to client-side XSS. No public exploits or KEV listing exist at this time. However, the attack surface is broad if the FTP proxy is internet-facing or accessible to untrusted users. An attacker does not need authentication to trigger the vulnerability—they only need to influence FTP directory contents or intercept the HTTP response. Practical exploitability remains moderate; successful attacks are possible but depend on deployment configuration and user behavior.
Remediation
Upgrade Apache HTTP Server to version 2.4.68 or later, which addresses the output encoding defect in mod_proxy_ftp. For organizations unable to upgrade immediately, mitigating controls include: restricting FTP proxy access to trusted networks or authenticated users via firewall rules or HTTP authentication; disabling mod_proxy_ftp if not actively used; and implementing Content Security Policy (CSP) headers to restrict inline script execution. However, these are temporary measures and should not replace patching. Test the upgrade in a staging environment to confirm FTP proxy functionality remains intact and no application dependencies are affected.
Patch guidance
Apache HTTP Server 2.4.68 is the recommended fixed version. Administrators should consult the official Apache HTTP Server release notes and security advisories to confirm patch availability for their deployment platform (Linux distributions, Windows, or containerized environments often lag slightly behind upstream releases). Prioritize patching systems where mod_proxy_ftp is active and exposed to end users or administrators. If upgrading to the latest minor version is not feasible, verify against the vendor advisory whether backported patches for 2.4.67 or earlier branches are available. Plan downtime or use rolling restart strategies to minimize service interruption.
Detection guidance
Monitor FTP proxy access logs and mod_proxy_ftp module activity for requests containing suspicious characters in FTP paths or directory names (e.g., angle brackets, script tags, event handlers). Configure web application firewalls (WAF) to filter requests with XSS payloads targeting the proxy endpoint. Implement browser-based monitoring (e.g., CSP violation reports) to detect blocked XSS attempts. If access logs capture full HTTP responses, search for unencoded HTML entities in filenames or directory listings. Review mod_proxy_ftp configuration to identify active deployments and assess exposure. Post-patch, verify that FTP directory listings no longer execute inline scripts by testing with known XSS payloads in a controlled FTP environment.
Why prioritize this
While the CVSS score of 6.1 (MEDIUM) reflects the user interaction requirement and limited impact scope, the vulnerability should be prioritized for patching in environments where mod_proxy_ftp is actively deployed and accessible. The lack of KEV listing and public exploits means this is not an immediate critical threat, but delayed patching extends the window for exploitation. Organizations with exposed FTP proxies or those serving multiple end users should prioritize this within their standard patching cadence (next 1–2 months). Those with tightly controlled or internal-only FTP proxies may defer but should not ignore it.
Risk score, explained
The CVSS 3.1 score of 6.1 reflects a medium-severity XSS vulnerability with network accessibility, low attack complexity, and no privilege requirement. The requirement for user interaction (UI:R) reduces the score from what a server-side RCE might achieve. Scope change (S:C) increases the score slightly, indicating potential impact beyond the vulnerable component. Confidentiality and integrity are partially compromised (C:L, I:L) through session hijacking or malicious redirection, while availability is not affected (A:N). This scoring is appropriate for a client-side XSS in a proxy middleware component.
Frequently asked questions
Does this vulnerability affect Apache servers that do not use the FTP proxy module?
No. The vulnerability is specific to mod_proxy_ftp. If your Apache installation does not have mod_proxy_ftp loaded or enabled, you are not affected. You can verify this by checking your Apache configuration files (httpd.conf and included modules) for any ProxyFTP directives or LoadModule statements referencing mod_proxy_ftp.
Can this vulnerability be exploited without user interaction?
No. The vulnerability requires a user (administrator or end user) to visit the FTP proxy directory listing in a browser. An attacker cannot exploit it remotely without social engineering or tricking a user into accessing the proxy URL. The CVSS vector explicitly flags UI:R (user interaction required) for this reason.
What is the difference between a forward FTP proxy and a reverse FTP proxy in this context?
A forward proxy intercepts requests from clients and relays them to an upstream FTP server. A reverse proxy presents an FTP backend to clients as if it were native. Both configurations use mod_proxy_ftp to generate HTML directory listings, and both are vulnerable to this XSS if filenames or directory metadata are not encoded. The fix in version 2.4.68 addresses both scenarios.
Are there any workarounds if I cannot immediately patch to 2.4.68?
Yes, temporarily disable mod_proxy_ftp if it is not essential, restrict access to the FTP proxy via firewall or authentication, or implement a strict Content Security Policy (CSP) header to block inline scripts. However, these are mitigation measures, not fixes. Patching to 2.4.68 as soon as feasible is the proper remediation.
This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. CVSS scores, affected versions, and patch information are sourced from official Apache HTTP Server advisories and the National Vulnerability Database. Organizations should verify patch availability and compatibility with their specific deployment before applying updates. SEC.co does not provide legal advice; consult your organization's security and legal teams regarding disclosure, patching timelines, and regulatory obligations. This content is not a substitute for professional security assessment or incident response guidance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34033MEDIUMApache Answer XSS in Notification Emails – Vulnerability Explainer
- CVE-2026-42253MEDIUMApache ActiveMQ Header Injection XSS Vulnerability
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability