Input validation error in Froxlor - CVE-2026-41234
Published: June 29, 2026
Froxlor
Detailed vulnerability description
The vulnerability allows a remote user to inject arbitrary DNS records, disclose sensitive information, and cause a denial of service.
The vulnerability exists due to improper input validation in the DomainZones.add API endpoint when processing TXT record content containing newline characters. A remote user can submit a specially crafted TXT record value to inject arbitrary BIND directives and DNS records into the generated zone file to inject arbitrary DNS records, disclose sensitive information, and cause a denial of service.
Exploitation requires DNS editing to be enabled for the customer, and the injected content is written to disk when the DNS rebuild cron regenerates the zone file.