Cross-site scripting in Froxlor - CVE-2026-54347

 

Cross-site scripting in Froxlor - CVE-2026-54347

Published: June 29, 2026


Vulnerability identifier: #VU135781
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-54347
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: froxlor
Affected software:
Froxlor

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in an administrator's browser and take over the administrator account.

The vulnerability exists due to cross-site scripting in the DNS editor TXT record content rendering path when an administrator views the DNS configuration of an affected domain. A remote user can inject a crafted DNS TXT record to execute arbitrary JavaScript in an administrator's browser and take over the administrator account.

DNS functionality and DNS editor access must be enabled, and user interaction is limited to the administrator visiting the DNS editor page for the affected domain.


How to mitigate CVE-2026-54347

Install security update from vendor's website.

Sources