Vulnerability Description
Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Froxlor | Froxlor | < 2.3.5 |
Related Weaknesses (CWE)
References
- https://github.com/froxlor/froxlor/commit/b34829262dc32818b37f6a1eabb426d0b277a8Patch
- https://github.com/froxlor/froxlor/releases/tag/2.3.5ProductRelease Notes
- https://github.com/froxlor/froxlor/security/advisories/GHSA-x6w6-2xwp-3jh6ExploitVendor Advisory
FAQ
What is CVE-2026-30932?
CVE-2026-30932 is a vulnerability with a CVSS score of 8.8 (HIGH). Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for sever...
How severe is CVE-2026-30932?
CVE-2026-30932 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30932?
Check the references section above for vendor advisories and patch information. Affected products include: Froxlor Froxlor.