CVE-2026-26952
Stored HTML Injection in Pi-hole Admin Interface DNS Records
Publication date: 2026-02-19
Last updated on: 2026-03-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pi-hole | web_interface | to 6.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Pi-hole Admin Interface versions 6.4 and below. It is a stored HTML injection issue that occurs through the local DNS records configuration page. An authenticated administrator can inject malicious code into the Pi-hole configuration, which is then stored and rendered every time the DNS records table is viewed.
The problem arises because the populateDataTable() function inserts user-supplied DNS record values directly into an HTML attribute without escaping or sanitizing special characters. Specifically, if an attacker includes double quotes (") in the input, they can break out of the intended attribute and inject additional HTML attributes.
However, the impact is limited because Pi-hole uses a Content Security Policy (CSP) that blocks inline JavaScript, reducing the potential for more harmful script execution. This vulnerability was fixed in version 6.4.1.
How can this vulnerability impact me? :
This vulnerability allows an authenticated administrator to inject malicious HTML code into the Pi-hole configuration, which is then displayed whenever the DNS records table is viewed.
Because of the Content Security Policy blocking inline JavaScript, the risk of executing harmful scripts is limited. However, the injected HTML could still potentially be used to manipulate the interface or mislead users viewing the DNS records.
The vulnerability requires administrator privileges, so it does not allow remote unauthenticated attackers to exploit it.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Pi-hole to version 6.4.1 or later, where the issue has been fixed.
Since the vulnerability involves stored HTML injection through the local DNS records configuration page, ensure that only trusted administrators have access to the Pi-hole Admin Interface to reduce risk.