{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41230", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T03:47:03.134Z", "datePublished": "2026-04-23T03:47:11.258Z", "dateUpdated": "2026-04-23T13:58:27.592Z"}, "containers": {"cna": {"title": "Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()", "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c"}, {"name": "https://github.com/froxlor/froxlor/commit/47a8af5d9523cb6ec94567405cfc2e294d3a1442", "tags": ["x_refsource_MISC"], "url": "https://github.com/froxlor/froxlor/commit/47a8af5d9523cb6ec94567405cfc2e294d3a1442"}, {"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"}], "affected": [{"vendor": "froxlor", "product": "froxlor", "versions": [{"version": "< 2.3.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T03:47:11.258Z"}, "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file. Version 2.3.6 fixes the issue."}], "source": {"advisory": "GHSA-47hf-23pw-3m8c", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T13:58:05.259261Z", "id": "CVE-2026-41230", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T13:58:27.592Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41230", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T03:47:03.134Z", "datePublished": "2026-04-23T03:47:11.258Z", "dateUpdated": "2026-04-23T13:58:27.592Z"}, "containers": {"cna": {"title": "Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()", "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c"}, {"name": "https://github.com/froxlor/froxlor/commit/47a8af5d9523cb6ec94567405cfc2e294d3a1442", "tags": ["x_refsource_MISC"], "url": "https://github.com/froxlor/froxlor/commit/47a8af5d9523cb6ec94567405cfc2e294d3a1442"}, {"name": "https://github.com/froxlor/froxlor/releases/tag/2.3.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"}], "affected": [{"vendor": "froxlor", "product": "froxlor", "versions": [{"version": "< 2.3.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T03:47:11.258Z"}, "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file. Version 2.3.6 fixes the issue."}], "source": {"advisory": "GHSA-47hf-23pw-3m8c", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41230", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T13:58:05.259261Z"}}}], "references": [{"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T13:58:23.784Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A9C896A-1305-4134-850E-4B44962A6C0A", "versionEndExcluding": "2.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file. Version 2.3.6 fixes the issue."}], "id": "CVE-2026-41230", "lastModified": "2026-04-27T17:01:11.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-23T04:16:19.783", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/froxlor/froxlor/commit/47a8af5d9523cb6ec94567405cfc2e294d3a1442"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-47hf-23pw-3m8c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.6)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "froxlor", "source": "cna", "vendor": "froxlor"}, "product": "froxlor", "vendor": "froxlor"}], "analysis": {"en": {"generated_at": "2026-04-28T07:39:55.926867+00:00", "value": {"mitigation_remediation": ["Upgrade froxlor to version 2.3.6 or later, where the input validation is corrected.", "Restrict DNS record types to a controlled whitelist and disable the acceptance of arbitrary record types in the UI or API.", "Enforce server\u2011side validation that rejects or removes newline characters from the content field before database insertion.", "Regularly monitor and audit BIND zone files for unauthorized changes or injected directives."], "summary": {"action": "Patch Immediately", "impact": "DNS configuration manipulation"}, "threat_synthesis": {"affected_systems": "Froxlor server administration software versions earlier than 2.3.6 running on any server where customers can access the domain zone management interface. All installations of froxlor less than 2.3.6 are affected.", "description_and_impact": "DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a non\u2011validated type is submitted, content validation is bypassed and embedded newlines are stored and later written directly into BIND zone files via DnsEntry::__toString(). An authenticated customer can inject arbitrary DNS records and BIND directives ($INCLUDE, $ORIGIN, $GENERATE), allowing the attacker to alter DNS zone configuration, redirect traffic, or disrupt service.", "risk_and_exploitability": "The CVSS score of 8.5 marks this as high severity. EPSS is under 1%, indicating a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated web user with domain administrator rights submitting crafted DNS record types through the administration interface; because content is not sanitized, newline characters survive and are written into zone files, giving an attacker the power to inject BIND directives."}}}}, "created": "2026-04-27T23:45:15.685513+00:00", "updated": "2026-04-28T07:45:26.036930+00:00", "vendors": ["froxlor", "froxlor$PRODUCT$froxlor"]}