CVE Catalog

CVE-2026-41237

HighCVSS 8.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.47%

37th percentile - higher than 37% of all known CVEs

Summary

Froxlor 2.3.6 and earlier contains a vulnerability in the validation of DNS LOC and TLSA records. The regular expression for LOC accepts newline characters, and TLSA with matchingType=0 has no upper bound on hex data length, which may lead to injection of malicious data. Version 2.3.7 contains a fix.

Risk Assessment

An attacker can exploit this vulnerability to inject dangerous data into DNS zones, potentially compromising server configuration integrity and leading to takeover of DNS services.

Recommendation

Immediately update Froxlor to version 2.3.7 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Froxlor is open source server administration software. In version 2.3.6 and earlier, the LOC record regex uses `\s+` which matches newlines (allowing embedded newlines to pass), TLSA `matchingType=0` has no upper bound on hex data length, and all validators return raw input without zone-file escaping. Version 2.3.7 contains an updated patch.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS