CVE-2026-41230

Name of the Vulnerable Software and Affected Versions Froxlor versions prior to 2.3.6

Description The DomainZones::add() function accepts arbitrary DNS record types without a whitelist and fails to sanitize newline characters in the content variable. When a DNS type not covered by the validation chain is submitted, such as NAPTR, PTR, or HINFO, content validation is bypassed. Newline characters are stored in the database and written into BIND zone files via the DnsEntry:: toString() function. This allows an authenticated customer to inject arbitrary DNS records and BIND directives, including $INCLUDE, $ORIGIN, and $GENERATE, into their domain zone file.

Recommendations Update to version 2.3.6.