CVE-2026-41234

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-41234

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41234.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-41234

Aliases

GHSA-37m5-m4q3-fc6x

Related

Published

2026-06-04T17:47:12.538Z

Modified

2026-06-18T03:54:37.913023813Z

Severity

7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L CVSS Calculator

Summary

Froxlor: BIND Zone File Injection via TXT Record Content

Details

Froxlor is open source server administration software. Prior to version 2.3.7, the DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives ($INCLUDE, $GENERATE) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron. This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records. Version 2.3.7 contains an updated patch.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41234.json",
    "cwe_ids": [
        "CWE-74"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/froxlor/froxlor

Affected ranges

Type

GIT

Repo

https://github.com/froxlor/froxlor

Events

Introduced

Fixed

070e537744f20d30743a22e82f783e81893d7e54

Database specific

{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.3.7"
        }
    ]
}

Affected versions

0.*

0.10.0

0.10.0-rc1

0.10.0-rc2

0.10.1

0.10.10

0.10.11

0.10.12

0.10.13

0.10.14

0.10.15

0.10.16

0.10.17

0.10.18

0.10.19

0.10.2

0.10.20

0.10.21

0.10.22

0.10.23

0.10.23.1

0.10.24

0.10.25

0.10.26

0.10.27

0.10.28

0.10.29

0.10.29.1

0.10.3

0.10.30

0.10.31

0.10.32

0.10.33

0.10.4

0.10.5

0.10.6

0.10.7

0.10.8

0.10.9

0.9.18

0.9.18.1

0.9.19

0.9.20

0.9.20.1

0.9.21

0.9.22

0.9.22-rc1

0.9.23

0.9.23-rc1

0.9.24

0.9.24-rc1

0.9.25

0.9.25-rc1

0.9.26

0.9.26-rc1

0.9.27

0.9.27-rc1

0.9.28

0.9.28-rc1

0.9.28.1

0.9.29

0.9.29-rc1

0.9.30

0.9.30-rc1

0.9.31-rc1

0.9.32

0.9.32-rc1

0.9.32-rc2

0.9.33-rc1

0.9.33-rc2

0.9.33-rc3

0.9.34.1

0.9.34.2

0.9.35

0.9.35-rc1

0.9.35.1

0.9.36

0.9.37

0.9.37-rc1

0.9.38

0.9.38-rc1

0.9.38-rc2

0.9.38.1

0.9.38.2

0.9.38.3

0.9.38.4

0.9.38.5

0.9.38.6

0.9.38.7

0.9.38.8

0.9.39

0.9.39.1

0.9.39.2

0.9.39.3

0.9.39.4

0.9.39.5

2.*

2.0.1

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19

2.0.2

2.0.20

2.0.21

2.0.22

2.0.23

2.0.24

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.1.0

2.1.0-beta1

2.1.0-beta2

2.1.0-rc1

2.1.0-rc2

2.1.0-rc3

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0-rc1

2.3.0

2.3.0-rc1

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41234.json"