CVE-2026-30932

Name of the Vulnerable Software and Affected Versions Froxlor versions prior to 2.3.5

Description The DomainZones.add API endpoint, accessible to customers with DNS enabled, does not validate the content field for specific DNS record types (LOC, RP, SSHFP, TLSA). This allows an attacker to inject newlines and BIND zone file directives, such as $INCLUDE, into the zone file. When the DNS rebuild cron job runs, the modified zone file is written to disk. This can lead to information disclosure, DNS service disruption, and potential zone data manipulation. The vulnerable code resides in lib/Froxlor/Api/Commands/DomainZones.php (lines 213-214, 253-254, 290-291, 292-293) and lib/Froxlor/Dns/DnsEntry.php (line 83), and the zone file is written in lib/Froxlor/Cron/Dns/Bind.php (line 121). An example of exploitation involves using the curl command with the DomainZones.add command and injecting BIND directives into the content parameter of a LOC record. The API endpoint is ''/api.php'' and the vulnerable parameter is content.

Recommendations Update Froxlor to version 2.3.5 or later.