PT-2026-44908 · Froxlor+1 · Froxlor+1

Michael Kaufmann

·

Published

2026-05-29

·

Updated

2026-06-04

·

CVE-2026-41237

CVSS v4.0

8.6

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Froxlor versions 2.3.6 and earlier
Description DNS record content is concatenated directly into bind9 zone files in the DnsEntry.php file, which allows for zone file injection. The issue stems from incomplete validation of LOC, RP, SSHFP, and TLSA records. Specifically, the LOC record regular expression uses s+, which matches newlines and allows embedded newlines to pass validation. Additionally, TLSA records with matchingType=0 lack an upper bound on hex data length, potentially enabling DNS amplification or data exfiltration. All validators return raw input without zone-file escaping, allowing authenticated users with DNS management permissions to inject arbitrary records into zone files, which could lead to domain hijacking or phishing.
Recommendations For versions 2.3.6 and earlier, update to version 2.3.7. Replace s+ in the LOC regex with [ t]+ to exclude newlines. Implement a maximum length for TLSA matchingType=0 data. Escape or reject newlines in all DNS record content before writing to zone files.

Exploit

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-41237
GHSA-J6FM-9RFM-J5HX

Affected Products

Froxlor
Bind 9