CVE-2026-26952 in web
Summary
by MITRE • 02/20/2026
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through the local DNS records configuration page, which allows an authenticated administrator to inject code that is stored in the Pi-hole configuration and rendered every time the DNS records table is viewed. The populateDataTable() function contains a data variable with the full DNS record value exactly as entered by the user and returned by the API. This value is inserted directly into the data-tag HTML attribute without any escaping or sanitization of special characters. When an attacker supplies a value containing double quotes ("), they can prematurely “close” the data-tag attribute and inject additional HTML attributes into the element. Since Pi-hole implements a Content Security Policy (CSP) that blocks inline JavaScript, the impact is limited. This issue has been fixed in version 6.4.1.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/12/2026
The vulnerability identified as CVE-2026-26952 affects the Pi-hole Admin Interface, a widely used network-level ad and tracker blocking solution that operates at the DNS level to prevent unwanted advertisements and tracking activities. This security flaw exists in versions 6.4 and earlier, representing a significant concern for network administrators who rely on Pi-hole for their network security infrastructure. The vulnerability specifically targets the local DNS records configuration page, which serves as the primary interface for managing DNS entries within the Pi-hole system. The issue manifests as a stored HTML injection vulnerability that occurs when administrators input DNS record values through the web interface, creating a persistent security risk that can affect all users of the system.
The technical root cause of this vulnerability lies within the populateDataTable() JavaScript function that handles the display of DNS records within the administrative interface. This function processes data variables containing the complete DNS record values exactly as entered by users and returned by the API without implementing any form of input sanitization or HTML escaping. The flaw occurs because the system directly inserts user-supplied data into HTML data-tag attributes without proper encoding or validation of special characters. When an attacker provides a DNS record value containing double quotes, these characters can prematurely terminate the HTML attribute, allowing for the injection of additional HTML attributes and potentially malicious code into the rendered page. This represents a classic stored cross-site scripting vulnerability where the malicious input is permanently stored in the application's database and executed whenever the affected page is accessed.
The operational impact of this vulnerability extends beyond simple code injection, as it provides an authenticated attacker with a persistent means of executing malicious activities within the Pi-hole administrative environment. While the Content Security Policy implemented by Pi-hole does block inline JavaScript execution, limiting the immediate impact to purely HTML-based injection, the vulnerability still allows for potential exploitation through other vectors such as HTML attribute manipulation, CSS injection, or the creation of malicious links that could redirect users to harmful sites. The stored nature of the vulnerability means that the injected code persists across multiple sessions and page refreshes, making it particularly dangerous for network administrators who may not immediately notice the compromise. This vulnerability could enable attackers to modify DNS records, redirect traffic, or potentially escalate privileges within the administrative interface, undermining the security posture of networks relying on Pi-hole for protection.
The mitigation strategy for this vulnerability involves upgrading to Pi-hole version 6.4.1 or later, which implements proper input sanitization and HTML escaping mechanisms to prevent the injection of malicious code into the data-tag attributes. Organizations should also implement additional security measures such as regular monitoring of DNS record changes, implementing multi-factor authentication for administrative access, and conducting periodic security audits of the Pi-hole configuration. Network administrators should consider implementing additional access controls and monitoring for unauthorized changes to DNS records, as the vulnerability demonstrates the importance of proper input validation in web applications. This vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws, and represents a clear violation of secure coding practices that should be implemented across all web applications handling user input. The ATT&CK framework categorizes this vulnerability under T1059.006 for JavaScript execution and T1566 for credential access through web application attacks, highlighting the potential for privilege escalation and unauthorized access to network infrastructure. Organizations should also consider implementing network segmentation and monitoring to detect potential exploitation attempts and ensure that administrative interfaces are properly secured against authenticated attacks.