Skip to main content

PHP CVE-2026-30932

| EUVDEUVD-2026-14964 HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-03-24 https://github.com/froxlor/froxlor GHSA-x6w6-2xwp-3jh6
8.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 17:00 euvd
EUVD-2026-14964
Analysis Generated
Mar 24, 2026 - 17:00 vuln.today
Patch released
Mar 24, 2026 - 17:00 nvd
Patch available
CVE Published
Mar 24, 2026 - 16:49 nvd
HIGH 8.6

DescriptionGitHub Advisory

Summary

The DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs.

Affected Code

lib/Froxlor/Api/Commands/DomainZones.php, lines 213-214, 253-254, 290-291, 292-293:

php
} elseif ($type == 'LOC' && !empty($content)) {
    $content = $content; // no validation
} ...
} elseif ($type == 'RP' && !empty($content)) {
    $content = $content; // no validation
} ...
} elseif ($type == 'SSHFP' && !empty($content)) {
    $content = $content; // no validation
} elseif ($type == 'TLSA' && !empty($content)) {
    $content = $content; // no validation
}

There is even a TODO comment at line 148 acknowledging this gap:

php
// TODO regex validate content for invalid characters

The content is then written directly into the BIND zone file via DnsEntry::__toString() (line 83 of lib/Froxlor/Dns/DnsEntry.php):

php
return $this->record . "\t" . $this->ttl . "\t" . $this->class . "\t" . $this->type . "\t" ... . $_content . PHP_EOL;

And the zone file is written to disk in lib/Froxlor/Cron/Dns/Bind.php line 121:

php
fwrite($zonefile_handler, $zoneContent . $subzones);

PoC

As a customer with DNS management enabled and an API key, add a LOC record with injected BIND directives:

bash
curl -s -u "API_KEY:API_SECRET" \
  -H 'Content-Type: application/json' \
  -d '{"command":"DomainZones.add","params":{"domainname":"example.com","type":"LOC","content":"0 0 0 N 0 0 0 E 0\n$INCLUDE /etc/passwd"}}' \
  https://panel.example.com/api.php

Alternatively via the web UI, intercept the DNS editor form POST and set dns_content to 0 0 0 N 0 0 0 E 0\n$INCLUDE /etc/passwd and dns_type to LOC.

After the DNS rebuild cron runs, the resulting zone file at {bindconf_directory}/domains/example.com.zone will contain:

@	18000	IN	LOC	0 0 0 N 0 0 0 E 0
$INCLUDE /etc/passwd

BIND will process the $INCLUDE directive and attempt to parse /etc/passwd as zone data. While most lines will fail to parse as valid records, the file content is readable by the BIND process (running as bind/named user), confirming file existence and potentially leaking parseable lines as DNS records.

Impact

  1. Information Disclosure: The $INCLUDE directive lets a customer read world-readable files on the server through the DNS subsystem. The zone content (including included files) is visible to the customer via the DomainZones.get API call or the DNS editor in the web UI.
  2. DNS Service Disruption: Malformed zone content can cause BIND to fail to load the zone, causing DNS outage for the affected domain. Injecting $GENERATE directives could create massive record sets for amplification attacks.
  3. Zone Data Manipulation: Arbitrary DNS records can be injected by breaking out of the current record line with newlines, allowing the customer to create records that were not intended.

AnalysisAI

Froxlor, a web hosting control panel, contains an injection vulnerability in its DNS zone management API that allows authenticated customers with DNS privileges to inject BIND zone file directives (such as $INCLUDE) through unvalidated content fields in LOC, RP, SSHFP, and TLSA DNS record types. Attackers can leverage this to read arbitrary world-readable files on the server, disrupt DNS services, or inject unauthorized DNS records. A proof-of-concept exploit is publicly available demonstrating file inclusion attacks, and patches have been released by the vendor in version 2.3.5.

Technical ContextAI

This vulnerability affects Froxlor (composer package froxlor/froxlor), a PHP-based web hosting control panel that generates BIND DNS zone files. The root cause is CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), specifically injection into zone files. The affected code in DomainZones.php performs no validation on the content parameter for LOC, RP, SSHFP, and TLSA record types before writing them to BIND zone files through DnsEntry::__toString(). When the DNS rebuild cron executes, these unsanitized values are written directly to zone files using fwrite() in Bind.php. BIND then processes these files, interpreting embedded directives like $INCLUDE as legitimate zone file commands, allowing file system access within the BIND process context and zone data manipulation.

RemediationAI

Upgrade Froxlor to version 2.3.5 or later, which contains the fix implemented in commit b34829262dc32818b37f6a1eabb426d0b277a86b available at https://github.com/froxlor/froxlor/commit/b34829262dc32818b37f6a1eabb426d0b277a86b. The patch adds proper input validation to prevent newline injection and BIND directive inclusion in DNS record content fields. Until patching is completed, operators can temporarily disable customer access to LOC, RP, SSHFP, and TLSA record creation through API access restrictions or database-level permissions, though this may impact legitimate DNS management functionality. Review existing DNS zones for suspicious content containing newlines or BIND directives through the zone file directory configured in bindconf_directory. Consult the release notes at https://github.com/froxlor/froxlor/releases/tag/2.3.5 for complete upgrade instructions.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Vendor StatusVendor

Debian

Bug #581792
froxlor
Release Status Fixed Version Urgency
open - -

Share

CVE-2026-30932 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy