CVE-2026-41230

Source
https://cve.org/CVERecord?id=CVE-2026-41230
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41230.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41230
Aliases
Published
2026-04-23T03:47:11.258Z
Modified
2026-07-08T08:13:13.037089014Z
Severity
  • 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L CVSS Calculator
Summary
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()
Details

Froxlor is open source server administration software. Prior to version 2.3.6, DomainZones::add() accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., NAPTR, PTR, HINFO), content validation is entirely bypassed. Embedded newline characters in the content survive trim() processing, are stored in the database, and are written directly into BIND zone files via DnsEntry::__toString(). An authenticated customer can inject arbitrary DNS records and BIND directives ($INCLUDE, $ORIGIN, $GENERATE) into their domain's zone file. Version 2.3.6 fixes the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41230.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-93"
    ]
}
References

Affected packages

Git / github.com/froxlor/froxlor

Affected ranges

Type
GIT
Repo
https://github.com/froxlor/froxlor
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.3.6"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.10.0
0.10.0-rc1
0.10.0-rc2
0.10.1
0.10.10
0.10.11
0.10.12
0.10.13
0.10.14
0.10.15
0.10.16
0.10.17
0.10.18
0.10.19
0.10.2
0.10.20
0.10.21
0.10.22
0.10.23
0.10.23.1
0.10.24
0.10.25
0.10.26
0.10.27
0.10.28
0.10.29
0.10.29.1
0.10.3
0.10.30
0.10.31
0.10.32
0.10.33
0.10.4
0.10.5
0.10.6
0.10.7
0.10.8
0.10.9
0.9.18
0.9.18.1
0.9.19
0.9.20
0.9.20.1
0.9.21
0.9.22
0.9.22-rc1
0.9.23
0.9.23-rc1
0.9.24
0.9.24-rc1
0.9.25
0.9.25-rc1
0.9.26
0.9.26-rc1
0.9.27
0.9.27-rc1
0.9.28
0.9.28-rc1
0.9.28.1
0.9.29
0.9.29-rc1
0.9.30
0.9.30-rc1
0.9.31-rc1
0.9.32
0.9.32-rc1
0.9.32-rc2
0.9.33-rc1
0.9.33-rc2
0.9.33-rc3
0.9.34.1
0.9.34.2
0.9.35
0.9.35-rc1
0.9.35.1
0.9.36
0.9.37
0.9.37-rc1
0.9.38
0.9.38-rc1
0.9.38-rc2
0.9.38.1
0.9.38.2
0.9.38.3
0.9.38.4
0.9.38.5
0.9.38.6
0.9.38.7
0.9.38.8
0.9.39
0.9.39.1
0.9.39.2
0.9.39.3
0.9.39.4
0.9.39.5
2.*
2.0.1
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.18
2.0.19
2.0.2
2.0.20
2.0.21
2.0.22
2.0.23
2.0.24
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.1.0-beta1
2.1.0-beta2
2.1.0-rc1
2.1.0-rc2
2.1.0-rc3
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0-rc1
2.3.0
2.3.0-rc1
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41230.json"