CVE-2026-30932: Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API

March 24, 2026 (updated March 30, 2026)

The DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs.

References

github.com/advisories/GHSA-x6w6-2xwp-3jh6
github.com/froxlor/froxlor
github.com/froxlor/froxlor/commit/b34829262dc32818b37f6a1eabb426d0b277a86b
github.com/froxlor/froxlor/releases/tag/2.3.5
github.com/froxlor/froxlor/security/advisories/GHSA-x6w6-2xwp-3jh6
nvd.nist.gov/vuln/detail/CVE-2026-30932

Code Behaviors & Features

Detect and mitigate CVE-2026-30932 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →