CVE-2026-30932

High CVSS: 8.6

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5.

Vendor

Froxlor

Product

Froxlor

CWE

CWE-74

Yayın Tarihi

2026-03-24 19:16:51

Güncelleme

2026-03-26 12:17:21

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-74 Froxlor HIGH Froxlor 2026

Referanslar

https://github.com/froxlor/froxlor/commit/b34829262dc32818b37f6a1eabb426d0b277a86b https://github.com/froxlor/froxlor/releases/tag/2.3.5 https://github.com/froxlor/froxlor/security/advisories/GHSA-x6w6-2xwp-3jh6

Benzer Kayıtlar

Critical

CVE-2026-26279

Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code (== ins…

Medium

CVE-2025-48958

Froxlor is open source server administration software. Prior to version 2.2.6, an HTML Injection vulnerability in the cu…

Medium

CVE-2025-29773

Froxlor is open-source server administration software. A vulnerability in versions prior to 2.2.6 allows users (such as…