CVE-2026-30932
Published: 24 March 2026
Summary
CVE-2026-30932 is a high-severity Injection (CWE-74) vulnerability in Froxlor Froxlor. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the core injection vulnerability by requiring validation of content fields in the DomainZones.add API endpoint for DNS record types like LOC, RP, SSHFP, and TLSA to block newlines and BIND directives.
Mandates timely flaw remediation through patching to Froxlor version 2.3.5 or later, which fixes the lack of input validation in the vulnerable API endpoint.
Verifies the integrity of generated BIND zone files written by the DNS rebuild cron job to identify tampering from injected directives like $INCLUDE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes remote exploitation of an injection flaw in the public-facing Froxlor web/API panel (T1190) that converts low-privileged customer access into full compromise of the DNS server and underlying host (T1068).
NVD Description
Froxlor is open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject…
more
newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs. This issue has been patched in version 2.3.5.
Deeper analysisAI
CVE-2026-30932 is an injection vulnerability (CWE-74) in Froxlor, an open source server administration software. Prior to version 2.3.5, the DomainZones.add API endpoint, which is accessible to customers with DNS enabled, fails to validate the content field for specific DNS record types including LOC, RP, SSHFP, and TLSA. This allows attackers to inject newlines and BIND zone file directives, such as $INCLUDE, into the zone file that is subsequently written to disk during the execution of the DNS rebuild cron job. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Customers with DNS enabled in Froxlor deployments can exploit this vulnerability remotely over the network with low privileges, requiring no user interaction. By submitting malicious content via the DomainZones.add API, an attacker can manipulate the generated BIND zone file, potentially leading to unauthorized inclusion of external files, zone file tampering, or further compromise of the DNS infrastructure and underlying server, resulting in high confidentiality, integrity, and availability impacts.
The issue has been addressed in Froxlor version 2.3.5, as detailed in the project's security advisory (GHSA-x6w6-2xwp-3jh6), release notes, and the patching commit. Security practitioners should upgrade to version 2.3.5 or later and review access controls for the DomainZones.add endpoint to mitigate exposure.
Details
- CWE(s)