CVE-2026-30932

HIGH

Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API

Title source: cna
STIX 2.1

Description

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5.

References (3)

Scores

CVSS v3 8.8
EPSS 0.0002
EPSS Percentile 6.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-74
Status published
Products (2)
froxlor/froxlor < 2.3.5 (2 CPE variants)
froxlor/froxlor 0 - 2.3.5Packagist
Published Mar 24, 2026
Tracked Since Mar 25, 2026