Lucene search
K

9 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.9 views

CVE-2026-41234

Froxlor is open source server administration software. Prior to version 2.3.7, the DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record...

7.6CVSS5.5AI score0.0027EPSS
Exploits0References1
OSV
OSV
added 2026/06/03 9:2 p.m.6 views

GHSA-37M5-M4Q3-FC6X Froxlor: BIND Zone File Injection via TXT Record Content

Summary The DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitra...

7.6CVSS6AI score0.0027EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/03 9:2 p.m.12 views

Froxlor: BIND Zone File Injection via TXT Record Content

Summary The DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitra...

8.8CVSS6AI score0.00544EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 3:45 p.m.14 views

Froxlor has an incomplete fix for CVE-2026-30932

Summary The LOC record regex uses \s+ which matches newlines allowing embedded newlines to pass, TLSA matchingType=0 has no upper bound on hex data length, and all validators return raw input without zone-file escaping. Affected Package - Ecosystem: Other - Package: froxlor - Affected versions: a...

8.8CVSS5.9AI score0.00544EPSS
Exploits1References6Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/23 3:47 a.m.3 views

CVE-2026-41230 Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()

Froxlor is open source server administration software. Prior to version 2.3.6, DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted e.g.,...

8.5CVSS5.8AI score0.00347EPSS
Exploits1References3
CVE
CVE
added 2026/04/23 3:47 a.m.16 views

CVE-2026-41230

CVE-2026-41230 affects Froxlor prior to 2.3.6 through DomainZones::add(), where arbitrary DNS record types and newline-containing content are not sanitized. This allows an authenticated user to inject DNS records and BIND directives (e.g., $INCLUDE, $ORIGIN, $GENERATE) into zone files by submitti...

8.5CVSS5.8AI score0.00347EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/04/16 12:47 a.m.4 views

GHSA-47HF-23PW-3M8C Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()

Summary DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted e.g., NAPTR, PTR, HINFO, content validation is entirely bypassed. Embedded...

8.5CVSS5.9AI score0.00347EPSS
Exploits1References5
CVE
CVE
added 2026/03/24 6:46 p.m.22 views

CVE-2026-30932

Froxlor is vulnerable to BIND zone file injection via unsanitized content in DomainZones.add for LOC, RP, SSHFP, and TLSA records. The API does not validate content, allowing injection of BIND directives like $INCLUDE which get written into the zone file and processed by BIND, exposing server fil...

8.8CVSS5.8AI score0.00544EPSS
Exploits1References3Affected Software1
EUVD
EUVD
added 2026/03/24 4:49 p.m.4 views

EUVD-2026-14964

Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API...

8.6CVSS5.8AI score0.00544EPSS
Exploits1References3
Rows per page
Query Builder