Froxlor

v2.3.8 Security

This release includes 7 security fixes for security teams reviewing exposed deployments.

Published 4d Server & OS Management

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 7 known CVEs

Topics

froxlor hosting php server-management webserver

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 4d

Version 2.3.8 adds CSRF‑token validation for ajax‑actions and hardens redirect URL, IP address ID, DNS TXT rendering, editor fields, API payloads, and data‑export paths.

Why it matters: All security enhancements (severity 80) directly reduce injection and privilege‑escalation risk across the platform; immediate deployment is advised to protect user sessions and data integrity.

Summary

AI summary

[security] CSRF-token validation added to ajax-actions, enhancing request security.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	High	Adds CSRF token validation for ajax actions. Adds CSRF token validation for ajax actions. Source: llm_adapter@2026-06-09 Confidence: high	—
Security	High	Enhances validation of redirect URLs for domains and subdomains. Enhances validation of redirect URLs for domains and subdomains. Source: llm_adapter@2026-06-09 Confidence: high	—
Security	High	Verifies numeric values for IP address IDs. Verifies numeric values for IP address IDs. Source: llm_adapter@2026-06-09 Confidence: high	—
Security	High	Escapes special characters in DNS TXT content in the frontend. Escapes special characters in DNS TXT content in the frontend. Source: llm_adapter@2026-06-09 Confidence: high	—
Security	High	Secures record/label and type fields in the DNS editor. Secures record/label and type fields in the DNS editor. Source: llm_adapter@2026-06-09 Confidence: high	—
Security	High	Unsets sensitive data from API responses. Unsets sensitive data from API responses. Source: llm_adapter@2026-06-09 Confidence: high	—
Security	High	Validates and sanitizes user‑provided destination path for data export. Validates and sanitizes user‑provided destination path for data export. Source: llm_adapter@2026-06-09 Confidence: high	—
Feature	Low	Adds check for existing files in customer directory when used as domain‑path. Adds check for existing files in customer directory when used as domain‑path. Source: llm_adapter@2026-06-09 Confidence: high	—
Dependency	Low	Bumps axios from 1.15.2 to 1.16.0. Bumps axios from 1.15.2 to 1.16.0. Source: llm_adapter@2026-06-09 Confidence: high	—
Bugfix	Medium	Improves DNS LE test and MySQL test cleanup. Improves DNS LE test and MySQL test cleanup. Source: llm_adapter@2026-06-09 Confidence: high	—

Full changelog

What's Changed

fix: improve DNS LE test and MySQL test cleanup by @hknet in https://github.com/froxlor/froxlor/pull/1409
Bump axios from 1.15.2 to 1.16.0 by @dependabot[bot] in https://github.com/froxlor/froxlor/pull/1410
add check for existing files in customer directory when specified as domain-path, https://github.com/froxlor/froxlor/issues/1411
[security] add csrf-token validation in ajax-actions
[security] enhance validation of redirect-URLs for (sub)domains
[security] verify numeric values for ipaddress-id's
[security] escape allowed special-characters in dns TXT content in frontend
[security] secure record/label and type in dns-editor
[security] unset sensitive data from api responses
[security] secure user-given destination-path of data-export

New Contributors

@hknet made their first contribution in https://github.com/froxlor/froxlor/pull/1409

Full Changelog: https://github.com/froxlor/froxlor/compare/2.3.7...2.3.8

Security Fixes

[security] add csrf-token validation in ajax-actions
[security] enhance validation of redirect-URLs for (sub)domains
[security] verify numeric values for ipaddress-id's
[security] escape allowed special-characters in dns TXT content in frontend
[security] secure record/label and type in dns-editor
[security] unset sensitive data from api responses
[security] secure user-given destination-path of data-export

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Froxlor

Get notified when new releases ship.

About Froxlor

The server administration software for your needs - The official Froxlor development Git repository

All releases →