CVE-2026-41230
Published: 23 April 2026
Summary
CVE-2026-41230 is a high-severity CRLF Injection (CWE-93) vulnerability in Froxlor Froxlor. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the lack of whitelisting for DNS record types and failure to sanitize newline characters in content, preventing injection of arbitrary records and BIND directives.
Restricts the types of inputs accepted at the DomainZones::add() interface to whitelisted DNS records, blocking arbitrary types like NAPTR, PTR, and HINFO.
Requires timely remediation of the specific flaw through patching to Froxlor version 2.3.6 or later, which implements proper validation and sanitization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in network-accessible server admin web app (Froxlor) allows authenticated low-priv users to inject arbitrary DNS records/directives via unsanitized input, directly enabling T1190: Exploit Public-Facing Application.
NVD Description
Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation…
more
chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file. Version 2.3.6 fixes the issue.
Deeper analysisAI
Froxlor, an open source server administration software, contains a vulnerability (CVE-2026-41230) in versions prior to 2.3.6 affecting the `DomainZones::add()` function. This function accepts arbitrary DNS record types without a whitelist and fails to sanitize newline characters in the `content` field. For DNS types not covered by the existing if/elseif validation chain, such as NAPTR, PTR, or HINFO, content validation is completely bypassed. Embedded newlines in the content persist through `trim()` processing, get stored in the database, and are directly written into BIND zone files via `DnsEntry::__toString()`.
An authenticated customer with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows injection of arbitrary DNS records and BIND directives, including `$INCLUDE`, `$ORIGIN`, and `$GENERATE`, into the victim's domain zone file. The vulnerability has a CVSS v3.1 base score of 8.5, with high integrity impact (I:H), low availability impact (A:L), no confidentiality impact (C:N), and changed scope (S:C), mapped to CWE-93 (improper neutralization of CRLF sequences).
The Froxlor security advisory (GHSA-47hf-23pw-3m8c) and release notes for version 2.3.6 detail the fix, implemented in commit 47a8af5d9523cb6ec94567405cfc2e294d3a1442. Administrators should upgrade to Froxlor 2.3.6 or later to mitigate the issue, as it addresses the lack of DNS type whitelisting and improper sanitization of newlines in zone content.
Details
- CWE(s)