Froxlor Critical Flaw Allows Arbitrary DNS Record Injection
The National Vulnerability Database has detailed CVE-2026-41230, a high-severity vulnerability in Froxlor, an open-source server administration software. Prior to version 2.3.6, the DomainZones::add() function failed to properly sanitize newline characters in the content field when specific DNS record types (e.g., NAPTR, PTR, HINFO) were submitted. This bypasses content validation entirely.
This flaw allows an authenticated customer to inject arbitrary DNS records and BIND directives, such as $INCLUDE, $ORIGIN, and $GENERATE, directly into their domain’s zone file. The embedded newline characters persist through processing and are written directly into BIND zone files. This opens the door for significant abuse, including potential domain hijacking, cache poisoning, or even RCE on the DNS server if misconfigurations exist.
Defenders running Froxlor installations must prioritize patching to version 2.3.6 immediately. The CVSS score of 8.5 (HIGH) underscores the critical nature of this vulnerability, which could lead to widespread disruption and compromise of DNS infrastructure under an attacker’s control.
What This Means For You
- If your organization uses Froxlor for server administration, you are directly exposed to CVE-2026-41230. This isn't just a minor info leak; it's a critical injection vulnerability that can compromise your DNS infrastructure. Immediately patch all Froxlor instances to version 2.3.6. After patching, audit your BIND zone files for any unauthorized or suspicious entries that may have been injected by an authenticated user, as existing malicious entries won't automatically be removed by the patch.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41230 - Froxlor Arbitrary DNS Record Injection
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41230 | Code Injection | Froxlor server administration software |
| CVE-2026-41230 | Code Injection | Froxlor versions prior to 2.3.6 |
| CVE-2026-41230 | Code Injection | Vulnerable function: DomainZones::add() |
| CVE-2026-41230 | Code Injection | Injection of arbitrary DNS records and BIND directives via 'content' field |
| CVE-2026-41230 | Code Injection | Lack of sanitization for newline characters in 'content' field when DNS type is not covered by validation (e.g., NAPTR, PTR, HINFO) |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 23, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-41990 — Libgcrypt before 1.12.2 mishandles Dilithium signing.
CVE-2026-41990 — Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.
CVE-2026-41989 — Buffer Overflow
CVE-2026-41989 — Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.
CVE-2026-41233 — Froxlor is open source server administration software.
CVE-2026-41233 — Froxlor is open source server administration software. Prior to version 2.3.6, in `Domains.add()`, the `adminid` parameter is accepted from user input and used...