CVE-2026-41234

EUVD-2026-34313

04.06.2026, 19:16

Froxlor is open source server administration software. Prior to version 2.3.7, the `DomainZones.add` API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives (`$INCLUDE`, `$GENERATE`) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron. This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records. Version 2.3.7 contains an updated patch.

Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GitHub_M	CNA	7.6 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
froxlor	froxlor	𝑥 < 2.3.7	CNA

Common Weakness Enumeration

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Vulnerability Media Exposure

[GERMAN] Froxlor: Schwachstelle ermöglicht Manipulation, Offenlegung und DoS
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Froxlor ausnutzen, um Daten zu manipulieren, Informationen offenzulegen oder einen Denial of Servcie zu verursachen.
Published: 2026-06-02T22:00:00+00:00

References

https://github.com/advisories/GHSA-x6w6-2xwp-3jh6

https://github.com/froxlor/froxlor/releases/tag/2.3.7

https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x