CVE-2026-26953
Stored HTML Injection in Pi-hole Admin Interface Active Sessions
Publication date: 2026-02-19
Last updated on: 2026-03-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pi-hole | web_interface | From 6.0 (inc) to 6.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Pi-hole Admin Interface versions 6.0 and above. It is a Stored HTML Injection vulnerability located in the active sessions table on the API settings page. An attacker who has valid credentials can inject arbitrary HTML code into the X-Forwarded-For header, which is then rendered in the browser of any administrator who views the active sessions page.
The issue arises because the value data.x_forwarded_for is directly concatenated into an HTML string and inserted into the DOM using jQuery's .html() method, which interprets and renders HTML tags. Although Pi-hole's Content Security Policy blocks inline JavaScript, limiting the attack to HTML injection without script execution, malicious HTML can still be injected.
This vulnerability was fixed in version 6.4.1.
How can this vulnerability impact me? :
The vulnerability allows an attacker with valid credentials to inject arbitrary HTML code into the active sessions page viewed by administrators. While the Content Security Policy prevents execution of inline JavaScript, the injected HTML could still alter the appearance or content of the page, potentially misleading administrators or causing confusion.
Because the injection is limited to HTML and does not allow script execution, the impact is less severe than a full cross-site scripting (XSS) attack, but it could still be used for phishing-like attacks or UI manipulation.
Additionally, the CVSS score of 5.4 indicates a medium severity with limited impact on confidentiality but some impact on integrity and availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Pi-hole Admin Interface version is 6.0 or above and below 6.4.1, as these versions contain the Stored HTML Injection vulnerability in the active sessions table on the API settings page.
To detect attempts to exploit this vulnerability on your network, you can monitor HTTP requests to the Pi-hole Admin Interface for suspicious X-Forwarded-For headers containing HTML tags or unusual characters instead of legitimate IP addresses.
Example commands to inspect logs or capture such requests include:
- Using grep to search web server logs for suspicious X-Forwarded-For headers: grep -i 'X-Forwarded-For: <' /var/log/lighttpd/access.log
- Using tcpdump to capture HTTP traffic and filter for X-Forwarded-For headers: sudo tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'X-Forwarded-For'
- Using curl or wget to test sending a request with a malicious X-Forwarded-For header: curl -H 'X-Forwarded-For: <script>alert(1)</script>' https://your-pihole-admin-url/admin/api.php
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the Pi-hole Admin Interface to version 6.4.1 or later, where the Stored HTML Injection vulnerability has been fixed.
Until the upgrade can be performed, restrict access to the Pi-hole Admin Interface to trusted administrators only, and monitor for suspicious X-Forwarded-For headers that may indicate exploitation attempts.
Additionally, ensure that your Content Security Policy (CSP) is properly configured to block inline JavaScript, which limits the impact of this vulnerability to HTML injection without script execution.