CVE-2026-33608

Source
https://cve.org/CVERecord?id=CVE-2026-33608
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33608.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33608
Downstream
Published
2026-04-22T14:00:15.473Z
Modified
2026-07-15T01:49:18.526636291Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
Incomplete domain name sanitization during
Details

An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend no longer able to run on the next restart, requiring manual operation to fix it.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33608.json",
    "cna_assigner": "OX"
}
References

Affected packages

Git / github.com/powerdns/pdns

Affected ranges

Type
GIT
Repo
https://github.com/powerdns/pdns
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "4.9.0"
        },
        {
            "fixed": "4.9.14"
        },
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.0.4"
        }
    ],
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:powerdns:authoritative:*:*:*:*:*:*:*:*"
}

Affected versions

rec-5.*
rec-5.0.0
rec-5.0.0-rc2
rec-5.0.1
rec-5.0.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33608.json"