QwikSec

Security Database

CVE

CWE

Training

CVE-2026-30932

Published: Mar 24, 2026

Modified: Mar 25, 2026

PUBLISHED

Description

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5.

Vendor	Product	Versions
froxlor	froxlor	affected `< 2.3.5`

Weaknesses (CWE)

References

https://github.com/froxlor/froxlor/security/advisories/GHSA-x6w6-2xwp-3jh6

x_refsource_CONFIRM

https://github.com/froxlor/froxlor/commit/b34829262dc32818b37f6a1eabb426d0b277a86b

x_refsource_MISC

https://github.com/froxlor/froxlor/releases/tag/2.3.5

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.