Description
Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file. Version 2.3.6 fixes the issue.
Published: 2026-04-23
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: DNS configuration manipulation
Action: Patch Immediately
AI Analysis

Impact

DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a non‑validated type is submitted, content validation is bypassed and embedded newlines are stored and later written directly into BIND zone files via DnsEntry::__toString(). An authenticated customer can inject arbitrary DNS records and BIND directives ($INCLUDE, $ORIGIN, $GENERATE), allowing the attacker to alter DNS zone configuration, redirect traffic, or disrupt service.

Affected Systems

Froxlor server administration software versions earlier than 2.3.6 running on any server where customers can access the domain zone management interface. All installations of froxlor less than 2.3.6 are affected.

Risk and Exploitability

The CVSS score of 8.5 marks this as high severity. EPSS is under 1%, indicating a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated web user with domain administrator rights submitting crafted DNS record types through the administration interface; because content is not sanitized, newline characters survive and are written into zone files, giving an attacker the power to inject BIND directives.

Generated by OpenCVE AI on April 28, 2026 at 07:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade froxlor to version 2.3.6 or later, where the input validation is corrected.
  • Restrict DNS record types to a controlled whitelist and disable the acceptance of arbitrary record types in the UI or API.
  • Enforce server‑side validation that rejects or removes newline characters from the content field before database insertion.
  • Regularly monitor and audit BIND zone files for unauthorized changes or injected directives.

Generated by OpenCVE AI on April 28, 2026 at 07:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-47hf-23pw-3m8c Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()
History

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Froxlor
Froxlor froxlor
CPEs cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*
Vendors & Products Froxlor
Froxlor froxlor

Thu, 23 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file. Version 2.3.6 fixes the issue.
Title Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L'}

Subscriptions

Froxlor Froxlor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T13:58:27.592Z

Reserved: 2026-04-18T03:47:03.134Z

Link: CVE-2026-41230

cve-icon Vulnrichment

Updated: 2026-04-23T13:58:23.784Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T04:16:19.783

Modified: 2026-04-27T17:01:11.480

Link: CVE-2026-41230

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:45:26Z

Weaknesses