GHSA-37M5-M4Q3-FC6X Froxlor: BIND Zone File Injection via TXT Record Content

Summary The DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitra...

Froxlor: BIND Zone File Injection via TXT Record Content

Summary The DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitra...

PT-2026-46116

Summary The DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitra...

Froxlor has an incomplete fix for CVE-2026-30932

Summary The LOC record regex uses \s+ which matches newlines allowing embedded newlines to pass, TLSA matchingType=0 has no upper bound on hex data length, and all validators return raw input without zone-file escaping. Affected Package - Ecosystem: Other - Package: froxlor - Affected versions: a...

GHSA-J6FM-9RFM-J5HX Froxlor has an incomplete fix for CVE-2026-30932

Summary The LOC record regex uses \s+ which matches newlines allowing embedded newlines to pass, TLSA matchingType=0 has no upper bound on hex data length, and all validators return raw input without zone-file escaping. Affected Package - Ecosystem: Other - Package: froxlor - Affected versions: a...

PT-2026-44908

Summary The LOC record regex uses s+ which matches newlines allowing embedded newlines to pass, TLSA matchingType=0 has no upper bound on hex data length, and all validators return raw input without zone-file escaping. Affected Package - Ecosystem: Other - Package: froxlor - Affected versions: al...

Astra Linux - уязвимость в ldns

When a zone file in ldns 1.7.1 is parsed, the function ldnsnsec3saltdata is too trusted regarding the length value obtained from the zone file. During the memcpy operation, the data consisting of 0xfe – ldnsrdfsizesaltrdf bytes can be copied, leading to heap overflow information leakage...

Astra Linux - уязвимость в ldns

When ldns version 1.7.1 verifies a zone file, the ldnsrrnewfrmstrinternal function has a heap out-of-bounds read vulnerability. An attacker can leak information from the heap by constructing a zone file payload...

CVE-2026-41230

CVE-2026-41230 affects Froxlor prior to 2.3.6 through DomainZones::add(), where arbitrary DNS record types and newline-containing content are not sanitized. This allows an authenticated user to inject DNS records and BIND directives (e.g., $INCLUDE, $ORIGIN, $GENERATE) into zone files by submitti...

CVE-2026-41230 Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()

Froxlor is open source server administration software. Prior to version 2.3.6, DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted e.g.,...

CVE-2026-41230 Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()

Froxlor is open source server administration software. Prior to version 2.3.6, DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted e.g.,...

GHSA-47HF-23PW-3M8C Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()

Summary DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted e.g., NAPTR, PTR, HINFO, content validation is entirely bypassed. Embedded...

Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()

Summary DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted e.g., NAPTR, PTR, HINFO, content validation is entirely bypassed. Embedded...

CVE-2026-40719

A flaw was found in MaraDNS. A remote attacker can exploit this vulnerability by providing a specially crafted DNS zone file where the authoritative nameserver address cannot be resolved. This can lead to the exhaustion of connection slots, resulting in a Denial of Service DoS for legitimate user...

CVE-2026-30932

Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file...

CVE-2026-30932

Froxlor is vulnerable to BIND zone file injection via unsanitized content in DomainZones.add for LOC, RP, SSHFP, and TLSA records. The API does not validate content, allowing injection of BIND directives like $INCLUDE which get written into the zone file and processed by BIND, exposing server fil...

EUVD-2026-14964

Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API...

Fedora 43 : bind9-next (2025-b68f7f541d)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-b68f7f541d advisory. Update to 9.21.14 rhbz2394406 Security Fixes: - DNSSEC validation fails if matching but invalid DNSKEY is found. CVE-2025-8677 - Address various...

CVE-2025-12603

/etc/timezone can be Arbitrarily Written.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5...

CVE-2025-12603

CVE-2025-12603 concerns Azure Access Technology BLU-IC2 and BLU-IC4 devices where the /etc/timezone file can be written arbitrarily. Multiple sources (NVD/CNVD/CVELIST) concur that this affects BLU-IC2 and BLU-IC4 up to version 1.19.5. PT Security specifies that the vulnerability allows arbitrary...