HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-41237Published Modified CNA GitHub_M

CVE-2026-41237: Froxlor has an incomplete fix for CVE-2026-30932

Froxlor is open source server administration software. In version 2.3.6 and earlier, the LOC record regex uses `\s+` which matches newlines (allowing embedded newlines to pass), TLSA `matchingType=0` has no upper bound on hex data length, and all validators return raw input without zone-file escaping. Version 2.3.7 contains an updated patch.

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an input validation bypass in Froxlor, an open source server administration panel, affecting versions 2.3.6 and earlier. The flaw is reachable over the network by any authenticated low-privilege user, with no victim interaction required, and stems from multiple DNS record validators that accept malformed input: the LOC record regex permits embedded newlines, TLSA matchingType=0 imposes no length limit on hex data, and all validators return raw user input without zone-file escaping. Successful exploitation lets an attacker read and tamper with DNS zone data, with the potential to inject arbitrary zone-file content or corrupt records. A fix is available in Froxlor 2.3.7; HarborGuard tracks this advisory and a patched-image rebuild will be made available the moment a published fix version is confirmed in upstream package metadata.

HarborGuard Coverage

Detection

Detection of CVE-2026-41237 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Froxlor. No manual configuration is required for this matching to occur.

Available
Triage

HarborGuard scores this CVE at 8.6 HIGH using the CVSS v4.0 vector and surfaces it accordingly in each customer's findings feed, weighted against that environment's compliance policy. Triage routing directs the finding to the inbox or ticketing integration configured for the affected workload's owner within each customer organization.

Available
Patch

Because no fix version has been published in upstream package metadata at this time, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Froxlor 2.3.7 is resolvable from upstream sources. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as the fix is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable Froxlor panel must be reachable over the network; an attacker sends crafted DNS record input to the application's HTTP endpoints from a remote host.

  • AuthenticationRequired

    A valid low-privilege Froxlor account is sufficient to reach the affected validators; no administrative or special-role account is needed.

  • Victim interactionNot required

    The attacker submits malicious input directly through their own authenticated session; no other user needs to take any action.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free: the malformed input passes validation reliably without requiring race conditions, memory-layout knowledge, or environmental prerequisites.

Blast Radius

  • An attacker reads the contents of DNS zone files managed by Froxlor, including records for all domains hosted on the server.
  • An attacker injects arbitrary content into zone files by embedding newlines or oversized hex data, allowing DNS record manipulation such as adding or overwriting A, NS, or TLSA records.
  • Corrupted or injected zone-file content can redirect traffic for hosted domains, enabling phishing, session hijacking, or interception of email and web traffic for affected tenants.
  • Availability of the Froxlor service itself is not directly impacted according to the CVSS vector, but downstream DNS infrastructure handling the malformed zones may behave unpredictably.

How HarborGuard Handles This

Available on HarborGuard: because no fix version has been published in upstream package metadata at the time of this writing, HarborGuard continuously monitors the Froxlor advisory across every ingest cycle and will surface the patched-image rebuild the moment Froxlor 2.3.7 is confirmed in upstream sources. In the interim, compensating controls worth considering include network-policy isolation that restricts Froxlor panel access to trusted operator IP ranges only, egress filtering to prevent the panel from writing zone data to downstream DNS servers until input is sanitized, and disabling the LOC and TLSA record creation features via Froxlor's feature-flag or ACL configuration if those record types are not operationally required. For customers with auto-remediation enabled, once the fix version is resolvable, HarborGuard will trigger a rebuild, run regression tests, and open a PR against affected workloads automatically. Given the HIGH severity rating, environments with auto-remediation enabled typically see a median time from CVE publication to merged patch PR of around 90 minutes after the upstream fix becomes available.

See how HarborGuard automates this
Affected packages
  • froxlor / froxlor
    < 2.3.7
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References