CVE-2026-41234

Froxlor is open source server administration software. Prior to version 2.3.7, the DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record...

CVE-2026-41237

Froxlor CVE-2026-41237 affects versions 2.3.6 and earlier, where the LOC record regex uses \s+ allowing embedded newlines, TLSA matchingType=0 has no upper bound on hex data length, and validators return raw input without zone-file escaping. Version 2.3.7 includes an updated patch. Technical deta...

GHSA-37M5-M4Q3-FC6X Froxlor: BIND Zone File Injection via TXT Record Content

Summary The DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitra...

Arbitrary Code Injection

Froxlor is vulnerable to Arbitrary Code Injection. The vulnerability is due to improper escaping of single quotes in PhpHelper::parseArrayToString, which allows an attacker to inject arbitrary PHP code through the privilegeduser parameter that gets executed on subsequent requests...

CVE-2026-41229

Froxlor is open source server administration software. Prior to version 2.3.6, PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with changeserversettings permission adds or updates a MySQL server via the API, t...

EUVD-2026-25186

Froxlor is open source server administration software. Prior to version 2.3.6, in EmailSender::add, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to...

CVE-2026-41230 Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()

Froxlor is open source server administration software. Prior to version 2.3.6, DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted e.g.,...

Froxlor 安全漏洞

Froxlor is a set of lightweight server management software developed by the Froxlor team. Versions of Froxlor prior to 2.3.6 contained security vulnerabilities. These vulnerabilities stemmed from the use of the adminid parameter in Domains.add without verification, allowing administrators to assi...

PT-2026-34638

Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customers see all permission. This allows a reseller to attribute newly created...

PHP Remote File Inclusion

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to PHP Remote File Inclusion via the deflanguage parameter in the API, which is not properly validated against the list of available language files. An attacker can execute arbitrary PHP...

CVE-2026-30932

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...

CVE-2026-30932 Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...

EUVD-2026-14964

Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API...

Froxlor 注入漏洞

Froxlor is a set of lightweight server management software developed by the Froxlor team. Versions of Froxlor prior to 2.3.5 had an injection vulnerability. This vulnerability stemmed from the lack of validation of the content fields of the DomainZones.add API endpoint, which could allow for the...

CVE-2026-26279

CVE-2026-26279 affects Froxlor before 2.3.4. A typo in input validation (using == instead of =) prevents email fields from being validated, allowing an authenticated admin to store arbitrary strings in panel_adminmail. That value is later interpolated into a shell command executed as root by a cr...

GHSA-33MP-8P67-XJ7C Froxlor has Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection

Summary A typo in Froxlor's input validation code == instead of = completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings — including shell metacharacters — in the panel.adminmail setting. This value i...

CVE-2018-12642

Froxlor through 0.9.39.5 has Incorrect Access Control for tickets not owned by the current user...

CVE-2020-10237

An issue was discovered in Froxlor through 0.10.15. The installer wrote configuration parameters including passwords into files in /tmp, setting proper permissions only after writing the sensitive data. A local attacker could have disclosed the information if he read the file at the right time,...

EUVD-2015-5904

Malware in sbrugna...

EUVD-2022-7757

Malicious code in bioql PyPI...