Lucene search
K

661 matches found

OSV
OSV
added 2026/04/16 12:46 a.m.3 views

GHSA-JVX4-XV3M-HRJ4 Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()

Summary In Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created domains to any other admin, bypassing their own domain quota since the...

5.4CVSS5.9AI score0.00264EPSS
Exploits1References5
Circl
Circl
added 2026/04/15 6:39 a.m.12 views

CVE-2026-41233

creationtimestamp| type| source ---|---|--- 2026-04-15 06:39:50+00:00| published-proof-of-concept| https://github.com/froxlor/froxlor/security/advisories/GHSA-jvx4-xv3m-hrj4...

5.4CVSS5.8AI score0.00264EPSS
Exploits1References1
Circl
Circl
added 2026/04/15 6:39 a.m.9 views

CVE-2026-41232

creationtimestamp| type| source ---|---|--- 2026-04-15 06:39:05+00:00| published-proof-of-concept| https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6...

5CVSS5.8AI score0.00231EPSS
Exploits1References1
Veracode
Veracode
added 2026/03/28 5:22 a.m.6 views

Arbitrary Code Injection

froxlor/froxlor is vulnerable to Arbitrary Code Injection. The vulnerability is due to improper validation of DNS record content in the DomainZones.add endpoint, which allows an attacker to inject malicious directives into zone files and manipulate DNS configuration...

8.8CVSS5.9AI score0.00544EPSS
Exploits1References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/26 3:3 p.m.8 views

CVE-2026-30932

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...

8.8CVSS5.7AI score0.00544EPSS
Exploits1References1
NVD
NVD
added 2026/03/24 7:16 p.m.4 views

CVE-2026-30932

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...

8.8CVSS0.00544EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/24 6:46 p.m.9 views

CVE-2026-30932

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...

8.6CVSS5.8AI score0.00544EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/24 6:46 p.m.2 views

CVE-2026-30932 Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...

8.6CVSS5.8AI score0.00544EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/24 6:46 p.m.27 views

CVE-2026-30932 Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...

8.6CVSS0.00544EPSS
Exploits1References3
CVE
CVE
added 2026/03/24 6:46 p.m.23 views

CVE-2026-30932

Froxlor is vulnerable to BIND zone file injection via unsanitized content in DomainZones.add for LOC, RP, SSHFP, and TLSA records. The API does not validate content, allowing injection of BIND directives like $INCLUDE which get written into the zone file and processed by BIND, exposing server fil...

8.8CVSS5.8AI score0.00544EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/24 6:46 p.m.2 views

CVE-2026-30932 Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...

8.6CVSS5.8AI score0.00544EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/03/24 4:49 p.m.11 views

Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API

Summary The DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file directives e.g. $INCLUDE into the zone file that gets written to disk when th...

8.8CVSS5.9AI score0.00544EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/03/24 4:49 p.m.2 views

GHSA-X6W6-2XWP-3JH6 Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API

Summary The DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file directives e.g. $INCLUDE into the zone file that gets written to disk when th...

8.8CVSS5.9AI score0.00544EPSS
Exploits1References5
EUVD
EUVD
added 2026/03/24 4:49 p.m.4 views

EUVD-2026-14964

Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API...

8.6CVSS5.8AI score0.00544EPSS
Exploits1References3
Circl
Circl
added 2026/03/24 7:13 a.m.6 views

CVE-2026-30932

creationtimestamp| type| source ---|---|--- 2026-03-24 07:13:33+00:00| published-proof-of-concept| https://github.com/froxlor/froxlor/security/advisories/GHSA-x6w6-2xwp-3jh6...

8.8CVSS5.8AI score0.00544EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/03/24 12:0 a.m.5 views

PT-2026-27480

Name of the Vulnerable Software and Affected Versions Froxlor versions prior to 2.3.5 Description The DomainZones.add API endpoint, accessible to customers with DNS enabled, does not validate the content field for specific DNS record types LOC, RP, SSHFP, TLSA. This allows an attacker to inject...

8.8CVSS5.9AI score0.00544EPSS
Exploits1References17
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.8 views

Froxlor 注入漏洞

Froxlor is a set of lightweight server management software developed by the Froxlor team. Versions of Froxlor prior to 2.3.5 had an injection vulnerability. This vulnerability stemmed from the lack of validation of the content fields of the DomainZones.add API endpoint, which could allow for the...

8.8CVSS5.8AI score0.00544EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/03/05 1:57 a.m.6 views

CVE-2026-26279

Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code == instead of = completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the...

9.1CVSS7.4AI score0.00802EPSS
Exploits1References1
NVD
NVD
added 2026/03/03 11:15 p.m.11 views

CVE-2026-26279

Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code == instead of = completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the...

9.1CVSS0.00802EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/03/03 10:31 p.m.31 views

CVE-2026-26279 Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection

Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code == instead of = completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the...

9.1CVSS0.00802EPSS
Exploits1References3
Rows per page
Query Builder