CVE-2026-26952
Received Received - Intake
Stored HTML Injection in Pi-hole Admin Interface DNS Records

Publication date: 2026-02-19

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through the local DNS records configuration page, which allows an authenticated administrator to inject code that is stored in the Pi-hole configuration and rendered every time the DNS records table is viewed. The populateDataTable() function contains a data variable with the full DNS record value exactly as entered by the user and returned by the API. This value is inserted directly into the data-tag HTML attribute without any escaping or sanitization of special characters. When an attacker supplies a value containing double quotes ("), they can prematurely β€œclose” the data-tag attribute and inject additional HTML attributes into the element. Since Pi-hole implements a Content Security Policy (CSP) that blocks inline JavaScript, the impact is limited. This issue has been fixed in version 6.4.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26952
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pi-hole web_interface to 6.4.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Pi-hole Admin Interface versions 6.4 and below. It is a stored HTML injection issue that occurs through the local DNS records configuration page. An authenticated administrator can inject malicious code into the Pi-hole configuration, which is then stored and rendered every time the DNS records table is viewed.

The problem arises because the populateDataTable() function inserts user-supplied DNS record values directly into an HTML attribute without escaping or sanitizing special characters. Specifically, if an attacker includes double quotes (") in the input, they can break out of the intended attribute and inject additional HTML attributes.

However, the impact is limited because Pi-hole uses a Content Security Policy (CSP) that blocks inline JavaScript, reducing the potential for more harmful script execution. This vulnerability was fixed in version 6.4.1.

Impact Analysis

This vulnerability allows an authenticated administrator to inject malicious HTML code into the Pi-hole configuration, which is then displayed whenever the DNS records table is viewed.

Because of the Content Security Policy blocking inline JavaScript, the risk of executing harmful scripts is limited. However, the injected HTML could still potentially be used to manipulate the interface or mislead users viewing the DNS records.

The vulnerability requires administrator privileges, so it does not allow remote unauthenticated attackers to exploit it.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Pi-hole to version 6.4.1 or later, where the issue has been fixed.

Since the vulnerability involves stored HTML injection through the local DNS records configuration page, ensure that only trusted administrators have access to the Pi-hole Admin Interface to reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26952. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart