CVE-2026-41237
HighCVSS 8.6Exploitation Probability (EPSS)
Low risk37th percentile - higher than 37% of all known CVEs
Summary
Froxlor 2.3.6 and earlier contains a vulnerability in the validation of DNS LOC and TLSA records. The regular expression for LOC accepts newline characters, and TLSA with matchingType=0 has no upper bound on hex data length, which may lead to injection of malicious data. Version 2.3.7 contains a fix.
Risk Assessment
An attacker can exploit this vulnerability to inject dangerous data into DNS zones, potentially compromising server configuration integrity and leading to takeover of DNS services.
Recommendation
Immediately update Froxlor to version 2.3.7 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Froxlor is open source server administration software. In version 2.3.6 and earlier, the LOC record regex uses `\s+` which matches newlines (allowing embedded newlines to pass), TLSA `matchingType=0` has no upper bound on hex data length, and all validators return raw input without zone-file escaping. Version 2.3.7 contains an updated patch.

