CVE-2026-26953 in web
Summary
by MITRE • 02/20/2026
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentials to inject arbitrary HTML code that will be rendered in the browser of any administrator who visits the active sessions page. The rowCallback function contains the value data.x_forwarded_for, which is directly concatenated into an HTML string and inserted into the DOM using jQuery’s .html() method. This method interprets the content as HTML, which means that any HTML tags present in the value will be parsed and rendered by the browser. An attacker can use common tools such as curl, wget, Python requests, Burp Suite, or even JavaScript fetch() to send an authentication request with an X-Forwarded-For header that contains malicious HTML code instead of a legitimate IP address. Since Pi-hole implements a Content Security Policy (CSP) that blocks inline JavaScript, the impact is limited to pure HTML injection without the ability to execute scripts. This issue has been fixed in version 6.4.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/12/2026
The vulnerability described in CVE-2026-26953 represents a stored HTML injection flaw within the Pi-hole Admin Interface, specifically affecting versions 6.0 and later. This issue resides in the active sessions table displayed on the API settings page, creating a persistent security risk that can be exploited by authenticated attackers. The vulnerability stems from improper input validation and sanitization of the X-Forwarded-For header value, which is directly concatenated into HTML content without appropriate escaping or encoding mechanisms. The affected code path involves the rowCallback function that processes the data.x_forwarded_for field and subsequently inserts this value into the DOM using jQuery's .html() method, which inherently interprets the content as executable HTML markup rather than plain text. This design flaw allows attackers to inject malicious HTML content that will be rendered whenever any administrator views the active sessions page, potentially enabling various attack vectors including cross-site scripting attempts, user interface redressing, or information disclosure through crafted payloads.
The technical exploitation of this vulnerability requires an attacker to possess valid authentication credentials for the Pi-hole admin interface, making it a privilege escalation issue rather than a remote code execution vulnerability. Attackers can leverage common tools such as curl, wget, Python requests, Burp Suite, or JavaScript fetch() methods to craft authentication requests with malicious X-Forwarded-For headers containing HTML injection payloads. The attack process involves sending a legitimate authentication request while embedding crafted HTML code within the X-Forwarded-For header value, which then gets stored in the session table and rendered when administrators access the affected page. The Content Security Policy implemented by Pi-hole provides some protection against script execution by blocking inline JavaScript, but this mitigation is insufficient against pure HTML injection attacks that can manipulate the user interface, create misleading content, or potentially harvest sensitive information through carefully crafted HTML elements. This vulnerability aligns with CWE-79 (Cross-site Scripting) and represents a specific implementation flaw where user-controllable data flows directly into HTML rendering contexts without proper sanitization. The attack surface is limited to authenticated users with administrative privileges, but the impact can be significant as it allows for persistent manipulation of the administrative interface that could mislead administrators or provide opportunities for further exploitation.
The operational impact of this vulnerability extends beyond simple HTML injection, as it can be leveraged to create persistent phishing attacks against administrators, manipulate session data display, or provide a foothold for more sophisticated attacks. Administrators who regularly monitor active sessions may be misled by malicious HTML content, potentially causing them to make incorrect security decisions based on false information presented in the interface. The vulnerability affects the integrity of the administrative interface and can be particularly dangerous in environments where Pi-hole is used for network security monitoring, as it undermines the trustworthiness of session information displayed to security personnel. The issue demonstrates poor input validation practices in web applications, where user-supplied data is not properly escaped or encoded before being inserted into HTML contexts. This type of vulnerability is particularly concerning in security tools where administrators rely on accurate information to make critical decisions about network traffic and security policies. The vulnerability also highlights the importance of proper sanitization of all user-controllable data in web applications, regardless of the expected input format, as even legitimate headers like X-Forwarded-For can become attack vectors when not properly handled. The fix implemented in version 6.4.1 addresses this issue by ensuring proper HTML escaping of the X-Forwarded-For header value before it is rendered in the administrative interface, preventing the direct insertion of user-controlled HTML into the DOM. This remediation aligns with ATT&CK technique T1059.006 (Command and Scripting Interpreter: PowerShell) and broader defensive practices related to input validation and output encoding to prevent injection attacks. Organizations using Pi-hole should prioritize updating to version 6.4.1 or later to mitigate this vulnerability, as the stored nature of the injection means that the malicious content persists until the affected sessions are cleared or the interface is refreshed, potentially providing extended attack windows for determined adversaries.