CVE-2026-41234
Published:June 04, 2026
Updated:June 07, 2026
Froxlor is open source server administration software. Prior to version 2.3.7, the "DomainZones.add" API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives ("$INCLUDE", "$GENERATE") and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron. This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records. Version 2.3.7 contains an updated patch.
Affected Packages
https://github.com/froxlor/froxlor.git (GITHUB):
Affected version(s) >=0.9 <2.3.7Fix Suggestion:
Update to version 2.3.7froxlor/froxlor (PHP):
Affected version(s) >=dev-backup-feature <2.3.7Fix Suggestion:
Update to version 2.3.7Related Resources (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
7.2
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
HIGH
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
HIGH
Availability
LOW
Weakness Type (CWE)
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
EPSS
Base Score:
0.04