CVE-2026-41234 Froxlor: BIND Zone File Injection via TXT Record Content

Froxlor is open source server administration software. Prior to version 2.3.7, the DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record...

CVE-2026-24401 Avahi has Uncontrolled Recursion in lookup_handle_cname function

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonica...

EUVD-2006-4240

Malware in sbrugna...

U.S. Dept Of Defense: Subdomain takeover ██████

The subdomain █████ was found to be pointing to open-elb-prod-277276106.us-east-1.elb-amazonaws.com., and the domain elb-amazonaws.com was available for registration. This vulnerability could have been exploited to host unwanted content, receive email, and potentially execute cross-site scripting...

U.S. Dept Of Defense: Subdomain Takeover via Host Header Injection on www.█████

The vulnerability was a subdomain takeover due to a CNAME record pointing to an unclaimed domain. This allowed malicious individuals to potentially take control of the affected subdomain and use it for malicious purposes...

SUSE CVE-2006-4252

PowerDNS Recursor 3.1.3 and earlier allows remote attackers to cause a denial of service resource exhaustion and application crash via a CNAME record with a zero TTL, which triggers an infinite loop...

Gymshark: Subdomain takeover on 'de-headless.staging.gymshark.com'

The Gymshark subdomain https://de-headless.staging.gymshark.com/ was pointing to an unclaimed Shopify site. Because of this an attacker could claim this subdomain, via Shopify, and serve their own content. This is extremely dangerous as an attacker could serve any malicious content on this domain...

CVE-2022-2220

Insufficient Granularity of Access Control in an OpenShift router causes improper subdomain ownership verification, allowing route takeover. Once a custom route is created, the user must update the DNS provider by creating a canonical name CNAME record to expose this route externally. The CNAME...

Affirm: Subdomain takeover due to non registered TLD [ ██████████.█████.██████.com ]

Summary: I was looking at recent disclosed report 1297689 and I was thinking to take a look for the same issue on this asset as I love to test for subdomain takeover vulnerabilities. While testing I noticed a DNS entry for ███████.████.██████████.com is CNAME ████.███████████ which's TLD is not...

Palo Alto Software: DNS Miconfiguration Leads to Subdomain Takeover - max1.liveplan.com

Summary The issue happens due to using EC2 public DNS instead of using Elastic IPs as CNAME record. This report is simliar to report 1069795 Misconfiguration - DNS Records json "host": "max1.liveplan.com", "resolver": "1.0.0.1:53" , "a": "54.68.121.128" , "cname":...

Sifchain: Subdomain Takeover At the Main Domain Of Your Site

Hello, I Know that isn't in the Scope But this The Only Way I can Report With And This Issue Is Very High It Belongs to the Main Domain this is pretty serious security issue in some context, so please act as fast as possible. overview the Main Domain sifchain.finance is pointing to wix.com, which...

Sunburst: connecting the dots in the DNS requests

On December 13, 2020 FireEye published important details of a newly discovered supply chain attack. An unknown attacker, referred to as UNC2452 or DarkHalo planted a backdoor in the SolarWinds Orion IT software. This backdoor, which comes in the form of a .NET module, has some really interesting...

Booking.com: Subdomain takeover of ci-support.booking.com (pointing to Zendesk)

Description Host ci-support.booking.com has a CNAME record pointing to ci-support.zendesk.com. Before I created my proof of concept see below, that Zendesk subdomain ci-support was unclaimed, as was the custom hostname ci-support.booking.com on Zendesk. As a result, an attacker could create a...

Shopify: Subdomain takeover in help.tictail.com pointing to Zendesk (a Shopify acquisition)

Hello, Description: --------------------- The subdomain at https://help.tictail.com has an unclaimed CNAME record tictail.zendesk.com . I checked the username availability in the signup process at zendesk, it was observed that the subdomain is vulnerable to a subdomain takeover which allows an...

DNSProbe - A Tool Built On Top Of Retryabledns That Allows You To Perform Multiple DNS Queries Of Your Choice With A List Of User Supplied Resolvers

DNSProbe is a tool built on top of retryabledns that allows you to perform multiple dns queries of your choice with a list of user supplied resolvers. Features Simple and Handy utility to query DNS records. Usage dnsprobe -h This will display help for the tool. Here are all the switches it...

Stripo Inc: subdomain takeover at status-stage0.stripo.email

The subdomain status-stage0.stripo.email was pointed at uptimerobot.com whereas it was not being used , but having Cname record as stats.uptimerobot.com . Hence anyone can takeover it. I have parked it with an account on uptimerobot.com note : this issue is similar to report but with another...

Lyst: Subdomain takeover of storybook.lystit.com

Summary: The subdomain storybook.lystit.com had an CNAME record pointing to an unclaimed S3 bucket. This is a high severity security issue because an attacker can register the bucket on AWS and therefore can serve her own content on the subdomain. This allows for various attacks. Description: The...

Stripo Inc: subdomain takeover at status0.stripo.email

Hi , The subdomain status0.stripo.email was pointed at uptimerobot.com whereas it was not being used , but having Cname record as stats.uptimerobot.com . Hence anyone can takeover it. I have parked it with atest account on uptimerobot.com F634639 F634636 thanks Impact Anyone can use this subdomai...

Starbucks: Subdomain takeover of datacafe-cert.starbucks.com

Summary: The subdomain datacafe-cert.starbucks.com had an CNAME record pointing to an unclaimed Azure webservice. This is a high severity security issue because an attacker can register the subdomain on Azure and therefore can own the subdomain datacafe-cert.starbucks.com. Description: The dangli...

Unprivileged adding of CNAME record causing loop

Description All versions of Samba from 4.0.0 onwards are vulnerable to infinite query recursion caused by CNAME loops. Any dns record can be added via ldap by an unprivileged user using the ldbadd tool, so this is a security issue. Patch Availability Patches addressing both these issues have been...