{
  "threat_severity" : "Moderate",
  "public_date" : "2026-06-08T15:10:09Z",
  "bugzilla" : {
    "description" : "httpd: Apache HTTP Server: Cross-site scripting in mod_proxy_ftp via HTML directory list generation",
    "id" : "2486419",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2486419"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-79",
  "details" : [ "A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration.\nUsers are recommended to upgrade to version 2.4.68, which fixes this issue.", "A flaw was found in Apache HTTP Server, specifically within the `mod_proxy_ftp` module. This cross-site scripting (XSS) vulnerability occurs during the generation of HTML directory lists when the server is configured to list FTP directory contents via either a forward or reverse proxy. An attacker could exploit this by injecting malicious scripts into web pages, which could lead to information disclosure or unauthorized actions when viewed by other users." ],
  "statement" : "This Moderate impact cross-site scripting (XSS) vulnerability in Apache HTTP Server's `mod_proxy_ftp` module requires specific server configurations to be exploitable. The flaw occurs when `mod_proxy_ftp` is enabled and configured to list FTP directory contents via a proxy, which is not a default setup in Red Hat Enterprise Linux. Successful exploitation depends on a user viewing a specially crafted web page, potentially leading to information disclosure or unauthorized actions within the user's browser context.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-29170\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-29170\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2026-29170",
  "csaw" : false
}