Description
Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5.
Published: 2026-03-24
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: DNS zone file injection that can lead to remote code execution
Action: Immediate Patch
AI Analysis

Impact

Froxlor’s DomainZones.add API accepts DNS record content without sanitizing for several record types, such as LOC, RP, SSHFP, and TLSA. An attacker can embed newlines and BIND zone directives, for example $INCLUDE, into the content field. When the periodic DNS rebuild cron job writes the zone file to disk, the injected directives are executed, allowing malicious alteration of the zone file or execution of arbitrary code under the privileges of the DNS service.

Affected Systems

The vulnerability affects all installations of Froxlor prior to version 2.3.5 that expose the DomainZones.add endpoint to customers with DNS enabled. Any unpatched server where users can add DNS records through this API is at risk.

Risk and Exploitability

With a CVSS base score of 8.6, the flaw is high severity, but the EPSS score is below 1 % and it is not listed in the CISA KEV catalog, indicating a low likelihood of widespread exploitation in the wild. An attacker needs only API access to inject the malicious content; the cron job that rebuilds the zone file will then persist the injection, giving the attacker the ability to modify DNS responses or execute code. The attack vector is stored injection via the customer-facing API.

Generated by OpenCVE AI on March 26, 2026 at 15:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Froxlor to version 2.3.5 or later

Generated by OpenCVE AI on March 26, 2026 at 15:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x6w6-2xwp-3jh6 Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API
History

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:froxlor:froxlor:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Froxlor
Froxlor froxlor
Vendors & Products Froxlor
Froxlor froxlor

Tue, 24 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5.
Title Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API
Weaknesses CWE-74
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Froxlor Froxlor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:31:13.459Z

Reserved: 2026-03-07T16:40:05.885Z

Link: CVE-2026-30932

cve-icon Vulnrichment

Updated: 2026-03-25T13:31:05.256Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T19:16:51.863

Modified: 2026-03-26T12:17:21.523

Link: CVE-2026-30932

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:45Z

Weaknesses