CVE-2026-30932

CVE-2026-30932 is a high-severity security vulnerability in froxlor/froxlor (composer), affecting versions <= 2.3.4. It is fixed in 2.3.5.

Summary

The DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs.

Affected Code

lib/Froxlor/Api/Commands/DomainZones.php, lines 213-214, 253-254, 290-291, 292-293:

} elseif ($type == 'LOC' && !empty($content)) {
    $content = $content; // no validation
} ...
} elseif ($type == 'RP' && !empty($content)) {
    $content = $content; // no validation
} ...
} elseif ($type == 'SSHFP' && !empty($content)) {
    $content = $content; // no validation
} elseif ($type == 'TLSA' && !empty($content)) {
    $content = $content; // no validation
}

There is even a TODO comment at line 148 acknowledging this gap:

// TODO regex validate content for invalid characters

The content is then written directly into the BIND zone file via DnsEntry::__toString() (line 83 of lib/Froxlor/Dns/DnsEntry.php):

return $this->record . "\t" . $this->ttl . "\t" . $this->class . "\t" . $this->type . "\t" ... . $_content . PHP_EOL;

And the zone file is written to disk in lib/Froxlor/Cron/Dns/Bind.php line 121:

fwrite($zonefile_handler, $zoneContent . $subzones);

PoC

As a customer with DNS management enabled and an API key, add a LOC record with injected BIND directives:

curl -s -u "API_KEY:API_SECRET" \
  -H 'Content-Type: application/json' \
  -d '{"command":"DomainZones.add","params":{"domainname":"example.com","type":"LOC","content":"0 0 0 N 0 0 0 E 0\n$INCLUDE /etc/passwd"}}' \
  https://panel.example.com/api.php

Alternatively via the web UI, intercept the DNS editor form POST and set dns_content to 0 0 0 N 0 0 0 E 0\n$INCLUDE /etc/passwd and dns_type to LOC.

After the DNS rebuild cron runs, the resulting zone file at {bindconf_directory}/domains/example.com.zone will contain:

@	18000	IN	LOC	0 0 0 N 0 0 0 E 0
$INCLUDE /etc/passwd

BIND will process the $INCLUDE directive and attempt to parse /etc/passwd as zone data. While most lines will fail to parse as valid records, the file content is readable by the BIND process (running as bind/named user), confirming file existence and potentially leaking parseable lines as DNS records.

Impact

  1. Information Disclosure: The $INCLUDE directive lets a customer read world-readable files on the server through the DNS subsystem. The zone content (including included files) is visible to the customer via the DomainZones.get API call or the DNS editor in the web UI.

  2. DNS Service Disruption: Malformed zone content can cause BIND to fail to load the zone, causing DNS outage for the affected domain. Injecting $GENERATE directives could create massive record sets for amplification attacks.

  3. Zone Data Manipulation: Arbitrary DNS records can be injected by breaking out of the current record line with newlines, allowing the customer to create records that were not intended.

CVE-2026-30932 has a CVSS score of 8.8 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.3.5); upgrading removes the vulnerable code path.

Affected versions

froxlor/froxlor (<= 2.3.4)

Security releases

froxlor/froxlor → 2.3.5 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade froxlor/froxlor to 2.3.5 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-30932? CVE-2026-30932 is a high-severity security vulnerability in froxlor/froxlor (composer), affecting versions <= 2.3.4. It is fixed in 2.3.5.
  2. How severe is CVE-2026-30932? CVE-2026-30932 has a CVSS score of 8.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of froxlor/froxlor are affected by CVE-2026-30932? froxlor/froxlor (composer) versions <= 2.3.4 is affected.
  4. Is there a fix for CVE-2026-30932? Yes. CVE-2026-30932 is fixed in 2.3.5. Upgrade to this version or later.
  5. Is CVE-2026-30932 exploitable, and should I be worried? Whether CVE-2026-30932 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-30932 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-30932? Upgrade froxlor/froxlor to 2.3.5 or later.

Other vulnerabilities in froxlor/froxlor

CVE-2026-52793CVE-2026-41234CVE-2026-41237CVE-2026-41236CVE-2026-41235

Stop the waste.
Protect your environment with Kodem.