Description
Froxlor is open source server administration software. In version 2.3.6 and earlier, the LOC record regex uses `\s+` which matches newlines (allowing embedded newlines to pass), TLSA `matchingType=0` has no upper bound on hex data length, and all validators return raw input without zone-file escaping. Version 2.3.7 contains an updated patch.
Published: 2026-06-04
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs because Froxlor’s LOC record validation regex accepts newline characters, the TLSA validator allows arbitrarily long hex data, and raw input is returned without zone-file escaping. Attackers can exploit these weaknesses by injecting newline characters or unbounded hexadecimal strings into DNS records or other configuration fields, thereby corrupting zone files or inserting malicious data. The impact of this manipulation is a loss of data integrity and confidentiality for DNS resolution, potentially enabling domain hijacking or service disruption. This flaw is identified with CWE‑74, representing improper validation or sanitization of user input.

Affected Systems

Froxlor server administration software released by the froxlor project. Versions 2.3.6 and earlier contain the full set of validation problems. Version 2.3.7 includes a patch, but the advisory notes that the fix was incomplete for the earlier CVE‑2026‑30932 issue; administrators should be sure they are running a release that has all registered fixes.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, but the EPSS score is not available, so the likelihood of real‑world exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been reported yet. The most likely attack vector would require authenticated access to the Froxlor web interface with permission to create or modify DNS records. Successful exploitation could lead to data tampering or denial of service scenarios.

Generated by OpenCVE AI on June 4, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Froxlor to version 2.3.7 or later, verifying that the validation regexes and TLSA limits have been corrected as described in the release notes.
  • If an upgrade is not immediately possible, disable or restrict any feature that allows user‑supplied DNS record input until a patch is applied.
  • Apply any additional security updates or workarounds cited in the vendor’s GitHub security advisory, and monitor logs for unexpected zone‑file changes.

Generated by OpenCVE AI on June 4, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j6fm-9rfm-j5hx Froxlor has an incomplete fix for CVE-2026-30932
History

Thu, 04 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Froxlor
Froxlor froxlor
Vendors & Products Froxlor
Froxlor froxlor

Thu, 04 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description Froxlor is open source server administration software. In version 2.3.6 and earlier, the LOC record regex uses `\s+` which matches newlines (allowing embedded newlines to pass), TLSA `matchingType=0` has no upper bound on hex data length, and all validators return raw input without zone-file escaping. Version 2.3.7 contains an updated patch.
Title Froxlor has an incomplete fix for CVE-2026-30932
Weaknesses CWE-74
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Froxlor Froxlor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T17:55:19.361Z

Reserved: 2026-04-18T03:47:03.134Z

Link: CVE-2026-41237

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T19:16:29.503

Modified: 2026-06-04T19:16:29.503

Link: CVE-2026-41237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T20:00:15Z

Weaknesses