CVE-2026-41234
Froxlor: BIND Zone File Injection via TXT Record Content
Description
Froxlor is open source server administration software. Prior to version 2.3.7, the `DomainZones.add` API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives (`$INCLUDE`, `$GENERATE`) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron. This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records. Version 2.3.7 contains an updated patch.
INFO
Published Date :
June 4, 2026, 5:47 p.m.
Last Modified :
June 4, 2026, 5:47 p.m.
Remotely Exploit :
No
Source :
GitHub_M
Affected Products
The following products are affected by CVE-2026-41234
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
Solution
- Update Froxlor to version 2.3.7 or later.
- Apply the vendor-provided patch for CVE-2026-30932.
- Validate DNS zone file integrity after update.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-41234 vulnerability anywhere in the article.