CVE-2026-41230

Published: Apr 23, 2026

Modified: Apr 23, 2026

PUBLISHED

CVSS v3.1

8.5

HIGH

Description

Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file. Version 2.3.6 fixes the issue.

Vendor	Product	Versions
froxlor	froxlor	affected `< 2.3.6`

Weaknesses (CWE)

CWE-93

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

Low

References

https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c

x_refsource_CONFIRM

https://github.com/froxlor/froxlor/commit/47a8af5d9523cb6ec94567405cfc2e294d3a1442

x_refsource_MISC

https://github.com/froxlor/froxlor/releases/tag/2.3.6

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-41230

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References