EXECUTIVE SUMMARY:
CVE-2026-30932 with a CVSS score of 7.6 is a zone‑file injection flaw in Froxlor’s DNS management component that affects all releases up to and including 2.3.6. The DomainZones.add API endpoint fails to strip newline characters from TXT record values, so an authenticated customer who has DNS‑editing privileges can embed a newline in the TXT content, causing the generated BIND zone file to break out of the intended record line. By sending a crafted API request or manipulating the web‑UI POST, the attacker can inject arbitrary BIND directives such as $INCLUDE or $GENERATE and even create rogue A, MX, or CNAME records, which are written to disk and processed by the periodic DNS rebuild cron. This gives the attacker the ability to read arbitrary server files (e.g., /etc/passwd) via $INCLUDE, redirect subdomains to attacker‑controlled IPs, hijack email routing, or trigger zone parsing errors that cause a DNS outage for the targeted domain. Exploitation requires only valid customer credentials with DNS edit rights and a running DNS rebuild job, making the vulnerability especially dangerous in multi‑tenant hosting environments where customers share the same BIND service.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-30932 with a CVSS score of 7.6 is a zone‑file injection flaw in Froxlor’s DNS management component that affects all releases up to and including 2.3.6. The DomainZones.add API endpoint fails to strip newline characters from TXT record values, so an authenticated customer who has DNS‑editing privileges can embed a newline in the TXT content, causing the generated BIND zone file to break out of the intended record line. By sending a crafted API request or manipulating the web‑UI POST, the attacker can inject arbitrary BIND directives such as $INCLUDE or $GENERATE and even create rogue A, MX, or CNAME records, which are written to disk and processed by the periodic DNS rebuild cron. This gives the attacker the ability to read arbitrary server files (e.g., /etc/passwd) via $INCLUDE, redirect subdomains to attacker‑controlled IPs, hijack email routing, or trigger zone parsing errors that cause a DNS outage for the targeted domain. Exploitation requires only valid customer credentials with DNS edit rights and a running DNS rebuild job, making the vulnerability especially dangerous in multi‑tenant hosting environments where customers share the same BIND service.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-37m5-m4q3-fc6x