CVE-2026-29170: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Apache Software Foundation Apache HTTP Server
A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
AI Analysis
Technical Summary
This vulnerability involves improper neutralization of input (CWE-79) in the mod_proxy_ftp module of Apache HTTP Server versions 2.4.67 and earlier. When the server generates HTML directory listings of FTP contents through proxy configurations, it fails to properly sanitize input, leading to cross-site scripting risks. The issue is resolved in Apache HTTP Server version 2.4.68.
Potential Impact
Successful exploitation could allow an attacker to inject malicious scripts into the HTML directory listings generated by mod_proxy_ftp, potentially leading to client-side script execution in users' browsers. This could result in theft of user credentials, session hijacking, or other client-side attacks. However, no known exploits are reported in the wild at this time.
Mitigation Recommendations
A fix is available in Apache HTTP Server version 2.4.68. Users should upgrade to this version to remediate the vulnerability. No other vendor advisories or temporary mitigations are indicated.
CVE-2026-29170: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Apache Software Foundation Apache HTTP Server
Description
A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration. Users are recommended to upgrade to version 2.4.68, which fixes this issue.
CVSS v3.1
Score 6.1medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves improper neutralization of input (CWE-79) in the mod_proxy_ftp module of Apache HTTP Server versions 2.4.67 and earlier. When the server generates HTML directory listings of FTP contents through proxy configurations, it fails to properly sanitize input, leading to cross-site scripting risks. The issue is resolved in Apache HTTP Server version 2.4.68.
Potential Impact
Successful exploitation could allow an attacker to inject malicious scripts into the HTML directory listings generated by mod_proxy_ftp, potentially leading to client-side script execution in users' browsers. This could result in theft of user credentials, session hijacking, or other client-side attacks. However, no known exploits are reported in the wild at this time.
Mitigation Recommendations
A fix is available in Apache HTTP Server version 2.4.68. Users should upgrade to this version to remediate the vulnerability. No other vendor advisories or temporary mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-03-04T12:16:21.060Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a26e45ce29bf47b501dd913
Added to database: 6/8/2026, 3:48:44 PM
Last enriched: 6/8/2026, 4:19:08 PM
Last updated: 6/9/2026, 4:58:31 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.