Input validation error in Froxlor - CVE-2026-41234

 

Input validation error in Froxlor - CVE-2026-41234

Published: June 29, 2026


Vulnerability identifier: #VU135777
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-41234
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: froxlor
Affected software:
Froxlor

Detailed vulnerability description

The vulnerability allows a remote user to inject arbitrary DNS records, disclose sensitive information, and cause a denial of service.

The vulnerability exists due to improper input validation in the DomainZones.add API endpoint when processing TXT record content containing newline characters. A remote user can submit a specially crafted TXT record value to inject arbitrary BIND directives and DNS records into the generated zone file to inject arbitrary DNS records, disclose sensitive information, and cause a denial of service.

Exploitation requires DNS editing to be enabled for the customer, and the injected content is written to disk when the DNS rebuild cron regenerates the zone file.


How to mitigate CVE-2026-41234

Install security update from vendor's website.

Sources