What is the CVSS score of CVE-2026-41230?

CVE-2026-41230 has a CVSS 3.1 base score of 8.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Froxlor are affected by CVE-2026-41230?

Froxlor versions prior to 2.3.6 contain a DNS zone file injection vulnerability that allows authenticated customer accounts to manipulate DNS records and directives for managed domains, potentially…. A patch is available.

How to fix or mitigate CVE-2026-41230?

Within 24 hours: Identify all Froxlor installations and document current versions. Within 7 days: Apply vendor patch to Froxlor 2.3.6 or later (verify GitHub commit 47a8af5d is included); test in staging environment before production deployment. Within 30 days: Audit DNS zone files for unauthorized directives ($INCLUDE, $ORIGIN, $GENERATE) and review customer account activity logs for suspicious DNS record modifications during the vulnerability window.

Froxlor CVE-2026-41230

EUVD-2026-25180 HIGH

Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)

2026-04-23 GitHub_M

GHSA-47hf-23pw-3m8c

Authentication Bypass Froxlor

8.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.5 HIGH

AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

Low

Lifecycle Timeline

Patch released

Apr 27, 2026 - 17:01 nvd

Patch available

Re-analysis Queued

Apr 23, 2026 - 16:12 vuln.today

cvss_changed

Analysis Generated

Apr 23, 2026 - 06:59 vuln.today

Patch available

Apr 23, 2026 - 06:16 EUVD

EUVD ID Assigned

Apr 23, 2026 - 04:00 euvd

EUVD-2026-25180

Analysis Generated

Apr 23, 2026 - 04:00 vuln.today

CVE Published

Apr 23, 2026 - 03:47 nvd

HIGH 8.5

DescriptionGitHub Advisory

Froxlor is open source server administration software. Prior to version 2.3.6, DomainZones::add() accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., NAPTR, PTR, HINFO), content validation is entirely bypassed. Embedded newline characters in the content survive trim() processing, are stored in the database, and are written directly into BIND zone files via DnsEntry::__toString(). An authenticated customer can inject arbitrary DNS records and BIND directives ($INCLUDE, $ORIGIN, $GENERATE) into their domain's zone file. Version 2.3.6 fixes the issue.

AnalysisAI

DNS zone file injection in Froxlor versions prior to 2.3.6 allows authenticated customers to inject arbitrary BIND directives and DNS records through unvalidated record types and unsanitized newline characters. Attackers with low-privilege customer accounts can manipulate DNS resolution for managed domains by embedding malicious directives like $INCLUDE, $ORIGIN, or $GENERATE into zone files, potentially redirecting traffic, creating unauthorized records, or disrupting DNS services. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain customer credentials

Delivery

Access DNS management interface

Exploit

Submit malformed DNS record with exotic type

Install

Inject newline + BIND directive in content field

Zone file regenerated with injected directives

Execute

BIND reloads poisoned zone

Impact

DNS queries resolve to attacker-controlled records