CVE-2026-41230HIGH 8.5EPSS p26.4%

CVE-2026-41230CVE-2026-41230

Description

Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file. Version 2.3.6 fixes the issue.

Scoring

CVSS 3.18.5 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
EPSS0.35% probability of exploitation · percentile 26.4% · 2026-06-19T12:03:05Z
Published2026-04-23
Last modified2026-04-27

Underlying weaknesses· 1

CWE-93

References

  1. https://github.com/froxlor/froxlor/commit/47a8af5d9523cb6ec94567405cfc2e294d3a1442
  2. https://github.com/froxlor/froxlor/releases/tag/2.3.6
  3. https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c
  4. https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of CRLF Sequences ('CRLF Injection')cwe-930%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-30932
CVE
CVE-2026-41234
CVE
CVE-2026-41237
CVE
CVE-2026-41229
CVE
CVE-2026-41235
CVE
CVE-2026-41228
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.