Cross-site scripting in Froxlor - CVE-2026-54347
Published: June 29, 2026
Froxlor
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in an administrator's browser and take over the administrator account.
The vulnerability exists due to cross-site scripting in the DNS editor TXT record content rendering path when an administrator views the DNS configuration of an affected domain. A remote user can inject a crafted DNS TXT record to execute arbitrary JavaScript in an administrator's browser and take over the administrator account.
DNS functionality and DNS editor access must be enabled, and user interaction is limited to the administrator visiting the DNS editor page for the affected domain.