PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41237 froxlor CVE debrief

A vulnerability was discovered in Froxlor, an open-source server administration software. The issue, tracked as CVE-2026-41237, affects version 2.3.6 and earlier. The vulnerability arises from the LOC record regex using `s+`, which matches newlines, allowing embedded newlines to pass. Additionally, TLSA `matching=0` has no upper bound on hex data length, and all validators return raw input without zone-file escaping. This vulnerability has a CVSS score of 8.6 and is classified as HIGH severity. The issue was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-41237) on 2026-06-04T19:16:29.503Z and modified on 2026-06-05T20:17:31.417Z. For more information, refer to the [NVD detail page](https://nvd.nist.gov/vuln/detail/CVE-2026-41237). The vulnerability was patched in version 2.3.7. Refer to [ref-4](https://github.com/froxlor/froxlor/commit/b34829262dc3), [ref-5](https://github.com/froxlor/froxlor/releases/tag/2.3.7), and [ref-6](https://github.com/froxlor/froxlor/security/advisories/GHSA-j6fm-9rfm-j5hx) for more details.

Vendor
froxlor
Product
Unknown
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-05
Advisory published
2026-06-04
Advisory updated
2026-06-05

Who should care

Administrators and users of Froxlor server administration software version 2.3.6 and earlier should be aware of this vulnerability and take necessary actions to upgrade to version 2.3.7 or apply patches.

Technical summary

The LOC record regex in Froxlor version 2.3.6 and earlier uses `s+`, which matches newlines, allowing embedded newlines to pass. TLSA `matching=0` has no upper bound on hex data length, and all validators return raw input without zone-file escaping.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade to Froxlor version 2.3.7 or later.
  • Apply patches as described in [ref-4](https://github.com/froxlor/froxlor/commit/b34829262dc3).
  • Review and update configurations according to best practices.

Evidence notes

The vulnerability has a CVSS score of 8.6 and is classified as HIGH severity. The issue was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-41237) on 2026-06-04T19:16:29.503Z and modified on 2026-06-05T20:17:31.417Z.

Official resources

CVE-2026-41237 was published on 2026-06-04T19:16:29.503Z and modified on 2026-06-05T20:17:31.417Z.