Froxlor server administration software prior to version 2.3.6 contains a vulnerability in the DomainZones::add() function that accepts arbitrary DNS record types without proper validation. The flaw allows authenticated customers to bypass content validation by submitting DNS types not covered by the validation chain (NAPTR, PTR, HINFO). Newline characters in the content field are not sanitized and survive processing, enabling injection of arbitrary DNS records and BIND directives ($INCLUDE, $ORIGIN, $GENERATE) into domain zone files. The vulnerability is fixed in version 2.3.6.