A vulnerability was discovered in Froxlor, an open-source server administration software. The issue, tracked as CVE-2026-41237, affects version 2.3.6 and earlier. The vulnerability arises from the LOC record regex using `s+`, which matches newlines, allowing embedded newlines to pass. Additionally, TLSA `matching=0` has no upper bound on hex data length, and all validators return raw input without zone-fi [truncated]
CVE-2026-41236 is a HIGH-severity vulnerability in Froxlor server administration software. Version 2.3.6 of Froxlor contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled home directory without verifying that the target path is not a symbolic link. An att [truncated]
Froxlor server administration software version 2.3.6 has a vulnerability allowing authenticated customers with shell delegation enabled to submit an arbitrary shell, potentially leading to real host shell access. The issue is fixed in version 2.3.7.
CVE-2026-41234 is a HIGH severity vulnerability in Froxlor server administration software. An authenticated customer with DNS editing enabled can inject newlines into TXT record values via the `DomainZones.add` API endpoint. This allows for injection of arbitrary BIND directives and DNS records into the zone file written to disk by the DNS rebuild cron. This is an incomplete fix for CVE-2026-30932. Versio [truncated]
CVE-2016-5100 is a critical authentication weakness in Froxlor versions before 0.9.35. The issue stems from using PHP rand for random number generation in password reset token creation, which can make tokens easier to predict. Because password reset flows are security-sensitive, this can expose accounts to unauthorized takeover if an attacker can guess a valid token.