Description
Froxlor is open source server administration software. Prior to version 2.3.7, the `DomainZones.add` API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives (`$INCLUDE`, `$GENERATE`) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron. This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records. Version 2.3.7 contains an updated patch.
Published: 2026-06-04
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Froxlor, an open‑source server administration platform, contained a newline‑injection flaw in the DomainZones.add API that allowed an authenticated user with DNS editing privileges to insert line breaks into the text of a TXT record. The injected line breaks break the normal BIND zone file format, permitting the user to embed arbitrary BIND directives such as $INCLUDE and $GENERATE as well as new DNS resource records (e.g., A, MX, CNAME). In the context of the DNS rebuild cron, this results in a modified zone file written to disk, effectively allowing the user to alter the authoritative DNS data for the domain, which can lead to spoofing, redirecting, or denial of service of legitimate DNS resolution requests.

Affected Systems

The vulnerability applies to all Froxlor installations running a version earlier than 2.3.7. The affected product is the Froxlor server administration software. Users should verify the version of Froxlor they are running and plan to upgrade to 2.3.7 or later to receive the patch that sanitizes TXT record content.

Risk and Exploitability

The CVSS score of 7.6 indicates high severity. Because the exploit requires an authenticated customer with DNS editing enabled, the attack vector is internal, but the impact on DNS integrity could have widespread consequences for the domain’s clients and services. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Correcting the elimination of newline characters prevents manipulation of zone files and mitigates the risk of DNS injection.

Generated by OpenCVE AI on June 4, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Froxlor to version 2.3.7 or later to apply the official fix.
  • Immediately restrict or disable the DNS editing capability for authenticated customers until the upgrade is complete.
  • Audit existing zone files for unintended BIND directives or records and restore them to a known good state.

Generated by OpenCVE AI on June 4, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-37m5-m4q3-fc6x Froxlor: BIND Zone File Injection via TXT Record Content
History

Thu, 04 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Froxlor
Froxlor froxlor
Vendors & Products Froxlor
Froxlor froxlor

Thu, 04 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description Froxlor is open source server administration software. Prior to version 2.3.7, the `DomainZones.add` API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives (`$INCLUDE`, `$GENERATE`) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron. This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records. Version 2.3.7 contains an updated patch.
Title Froxlor: BIND Zone File Injection via TXT Record Content
Weaknesses CWE-74
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Froxlor Froxlor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T19:02:10.231Z

Reserved: 2026-04-18T03:47:03.134Z

Link: CVE-2026-41234

cve-icon Vulnrichment

Updated: 2026-06-04T19:02:04.845Z

cve-icon NVD

Status : Received

Published: 2026-06-04T19:16:28.963

Modified: 2026-06-04T20:16:57.677

Link: CVE-2026-41234

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T19:30:21Z

Weaknesses