Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-uyv2-5ka7-pufp
Vulnerability ID VCID-uyv2-5ka7-pufp
Aliases CVE-2026-41234
GHSA-37m5-m4q3-fc6x
Summary Froxlor is open source server administration software. Prior to version 2.3.7, the `DomainZones.add` API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives (`$INCLUDE`, `$GENERATE`) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron. This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records. Version 2.3.7 contains an updated patch.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
System Score Found at
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2026-41234
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2026-41234
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-37m5-m4q3-fc6x
cvssv3.1 7.6 https://github.com/advisories/GHSA-x6w6-2xwp-3jh6
generic_textual HIGH https://github.com/advisories/GHSA-x6w6-2xwp-3jh6
ssvc Track https://github.com/advisories/GHSA-x6w6-2xwp-3jh6
cvssv3.1 7.6 https://github.com/froxlor/froxlor
generic_textual HIGH https://github.com/froxlor/froxlor
cvssv3.1 7.6 https://github.com/froxlor/froxlor/releases/tag/2.3.7
generic_textual HIGH https://github.com/froxlor/froxlor/releases/tag/2.3.7
ssvc Track https://github.com/froxlor/froxlor/releases/tag/2.3.7
cvssv3.1 7.6 https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x
cvssv3.1_qr HIGH https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x
generic_textual HIGH https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x
ssvc Track https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x
cvssv3.1 7.6 https://nvd.nist.gov/vuln/detail/CVE-2026-41234
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-41234
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-41234
https://github.com/froxlor/froxlor
2.3.7 https://github.com/froxlor/froxlor/releases/tag/2.3.7
CVE-2026-41234 https://nvd.nist.gov/vuln/detail/CVE-2026-41234
GHSA-37m5-m4q3-fc6x https://github.com/advisories/GHSA-37m5-m4q3-fc6x
GHSA-37m5-m4q3-fc6x https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x
GHSA-x6w6-2xwp-3jh6 https://github.com/advisories/GHSA-x6w6-2xwp-3jh6
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L Found at https://github.com/advisories/GHSA-x6w6-2xwp-3jh6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-04T19:01:40Z/ Found at https://github.com/advisories/GHSA-x6w6-2xwp-3jh6
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L Found at https://github.com/froxlor/froxlor
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L Found at https://github.com/froxlor/froxlor/releases/tag/2.3.7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-04T19:01:40Z/ Found at https://github.com/froxlor/froxlor/releases/tag/2.3.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L Found at https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-04T19:01:40Z/ Found at https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2026-41234
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.14484
EPSS Score 0.00046
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:51:08.431902+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/41xxx/CVE-2026-41234.json 38.6.0