CRLF injection in Froxlor - CVE-2026-41230
Published: April 27, 2026
Vulnerability identifier: #VU128198
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-41230
CWE-ID: CWE-93
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: froxlor
Affected software:
Froxlor
Froxlor
Detailed vulnerability description
The vulnerability allows a remote user to inject arbitrary DNS records and BIND directives, and cause a denial of service.
The vulnerability exists due to improper neutralization of CRLF sequences in DomainZones::add() and DnsEntry::__toString() when processing DNS record content for unsupported record types. A remote user can submit a specially crafted API request containing newline characters to inject arbitrary DNS records and BIND directives, and cause a denial of service.
Exploitation requires DNS editing to be enabled for the customer account, and injected lines are written into the domain's BIND zone file and parsed as independent records or directives.
How to mitigate CVE-2026-41230
Install security update from vendor's website.