CVE-2026-30932

UNKNOWN 0.0

Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

13th

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5.

CWE	CWE-74
Vendor	froxlor
Product	froxlor
Published	Mar 24, 2026
Last Updated	Mar 25, 2026

Stay Ahead of the Next One

Get instant alerts for froxlor froxlor

Be the first to know when new unknown vulnerabilities affecting froxlor froxlor are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

froxlor / froxlor

< 2.3.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/froxlor/froxlor/security/advisories/GHSA-x6w6-2xwp-3jh6 github.com: https://github.com/froxlor/froxlor/commit/b34829262dc32818b37f6a1eabb426d0b277a86b github.com: https://github.com/froxlor/froxlor/releases/tag/2.3.5