CVE-2026-26952

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-26952

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26952.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-26952

Aliases

GHSA-6xp4-jw73-f4qp

Published

2026-02-19T22:43:58.403Z

Modified

2026-03-03T02:56:10.781095Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Pi-hole Web Interface has Stored HTML Injection via Local DNS Records (CNAME/Hosts) in data-tag Attribute

Details

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through the local DNS records configuration page, which allows an authenticated administrator to inject code that is stored in the Pi-hole configuration and rendered every time the DNS records table is viewed. The populateDataTable() function contains a data variable with the full DNS record value exactly as entered by the user and returned by the API. This value is inserted directly into the data-tag HTML attribute without any escaping or sanitization of special characters. When an attacker supplies a value containing double quotes ("), they can prematurely “close” the data-tag attribute and inject additional HTML attributes into the element. Since Pi-hole implements a Content Security Policy (CSP) that blocks inline JavaScript, the impact is limited. This issue has been fixed in version 6.4.1.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26952.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-116",
        "CWE-20",
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/pi-hole/web

Affected ranges

Type: GIT
Repo: https://github.com/pi-hole/web
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

09e4e0ed396642261ee9ef937a833cb1076a0220

Affected versions

0.*

0.1

1.*

1.0

1.1

1.2

1.2.1

1.3

2.*

2.0.0

2.1.0

2.1.1

v1.*

v1.0.0

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.1.7

v1.2

v1.3

v1.4

v1.4.1

v1.4.2

v1.4.3

v1.4.3.1

v1.4.3.1a

v1.4.4

v1.4.4.1

v1.4.4.2

v2.*

v2.0

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.1

v2.1.0-alpha-1

v2.1.0-beta

v2.1.2

v2.2

v2.2.0

v2.3

v2.3.1

v2.4

v2.5

v2.5.1

v2.5.2

v3.*

v3.0

v3.0.1

v3.0.1a

v3.1

v3.2

v3.2.1

v3.3

v4.*

v4.0

v4.1

v4.1.1

v4.2

v4.3

v4.3.2

v4.3.3

v5.*

v5.0

v5.1

v5.1.1

v5.10

v5.10.1

v5.11

v5.12

v5.13

v5.14

v5.14.1

v5.14.2

v5.15

v5.15.1

v5.16

v5.17

v5.18

v5.18.1

v5.18.2

v5.18.3

v5.18.4

v5.19

v5.2

v5.2.1

v5.2.2

v5.20

v5.20.1

v5.20.2

v5.21

v5.3

v5.3.1

v5.3.2

v5.4

v5.5

v5.5.1

v5.6

v5.7

v5.8

v5.9

v6.*

v6.0

v6.0.1

v6.0.2

v6.1

v6.2

v6.2.1

v6.3

v6.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26952.json"