CVE-2026-30932

HIGH EPSS 41.5%
Published Mar 24, 20263mo ago · Modified Jun 17, 20262w ago
8.6 CVSS 4.0
High
Find Similar
Published Mar 24, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5.

CVSS Details

Base Score
8.6
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
41.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-74

Affected Products 1

VendorProductVersionRange
froxlorfroxlor* <2.3.5

References 3

  • github.com https://github.com/froxlor/froxlor/commit/b34829262dc32818b37f6a1eabb426d0b277a86b
    Patch
  • github.com https://github.com/froxlor/froxlor/releases/tag/2.3.5
    ProductRelease Notes
  • github.com https://github.com/froxlor/froxlor/security/advisories/GHSA-x6w6-2xwp-3jh6
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/froxlor/froxlor/commit/b34829262dc32818b37f6a1eabb426d0b277a86b
    Patch