Cyber Resilience

CVE-2026-41230

HighPublic PoC

Published: 23 April 2026

Published
23 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
EPSS Score 0.0035 26.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41230 is a high-severity CRLF Injection (CWE-93) vulnerability in Froxlor Froxlor. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Froxlor, an open source server administration software, contains a vulnerability (CVE-2026-41230) in versions prior to 2.3.6 affecting the `DomainZones::add()` function. This function accepts arbitrary DNS record types without a whitelist and fails to sanitize newline characters in the `content` field. For DNS types not covered by the existing if/elseif validation chain, such as NAPTR, PTR, or HINFO, content validation is completely bypassed. Embedded newlines in the content persist through `trim()` processing, get stored in the database, and are directly written into BIND zone files via `DnsEntry::__toString()`.

An authenticated customer with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows injection of arbitrary DNS records and BIND directives, including `$INCLUDE`, `$ORIGIN`, and `$GENERATE`, into the victim's domain zone file. The vulnerability has a CVSS v3.1 base score of 8.5, with high integrity impact (I:H), low availability impact (A:L), no confidentiality impact (C:N), and changed scope (S:C), mapped to CWE-93 (improper neutralization of CRLF sequences).

The Froxlor security advisory (GHSA-47hf-23pw-3m8c) and release notes for version 2.3.6 detail the fix, implemented in commit 47a8af5d9523cb6ec94567405cfc2e294d3a1442. Administrators should upgrade to Froxlor 2.3.6 or later to mitigate the issue, as it addresses the lack of DNS type whitelisting and improper sanitization of newlines in zone content.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation…

more

chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file. Version 2.3.6 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in network-accessible server admin web app (Froxlor) allows authenticated low-priv users to inject arbitrary DNS records/directives via unsanitized input, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41229Same product: Froxlor Froxlor
CVE-2026-41228Same product: Froxlor Froxlor
CVE-2026-30932Same product: Froxlor Froxlor
CVE-2026-41231Same product: Froxlor Froxlor
CVE-2025-29773Same product: Froxlor Froxlor
CVE-2026-26279Same product: Froxlor Froxlor
CVE-2026-39983Shared CWE-93
CVE-2025-28357Shared CWE-93
CVE-2026-39394Shared CWE-93
CVE-2026-21428Shared CWE-93

Affected Assets

froxlor
froxlor
≤ 2.3.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the lack of whitelisting for DNS record types and failure to sanitize newline characters in content, preventing injection of arbitrary records and BIND directives.

prevent

Restricts the types of inputs accepted at the DomainZones::add() interface to whitelisted DNS records, blocking arbitrary types like NAPTR, PTR, and HINFO.

prevent

Requires timely remediation of the specific flaw through patching to Froxlor version 2.3.6 or later, which implements proper validation and sanitization.

References