Improper Neutralization of Special Elements in Output Used by a Downstream Component in Froxlor - CVE-2026-41237
Published: June 29, 2026
Froxlor
Detailed vulnerability description
The vulnerability allows a remote user to inject arbitrary DNS records into bind9 zone files.
The vulnerability exists due to improper neutralization of special elements in output used by a downstream component in DnsEntry.php when processing DNS record content for LOC, RP, SSHFP, and TLSA records. A remote user can submit crafted DNS record content with embedded newlines to inject arbitrary DNS records into bind9 zone files.
Exploitation requires DNS management permissions.