CVE-2026-26952
MEDIUMDescription
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through the local DNS records configuration page, which allows an authenticated administrator to inject code that is stored in the Pi-hole configuration and rendered every time the DNS records table is viewed. The populateDataTable() function contains a data variable with the full DNS record value exactly as entered by the user and returned by the API. This value is inserted directly into the data-tag HTML attribute without any escaping or sanitization of special characters. When an attacker supplies a value containing double quotes ("), they can prematurely “close” the data-tag attribute and inject additional HTML attributes into the element. Since Pi-hole implements a Content Security Policy (CSP) that blocks inline JavaScript, the impact is limited. This issue has been fixed in version 6.4.1.
How to fix
Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Exploit Intelligence
Low risk: more likely to be exploited than 15% of all known CVEs.
References
Related Vulnerabilities
Other CWE-20 (Improper Input Validation) vulnerabilities, ordered by exploit likelihood. View all
| CVE | Severity | CVSS | EPSS | Exploited | Fix |
|---|---|---|---|---|---|
| CVE-2024-3400 | Critical | 10.0 | 100% | KEV + Ransom | - |
| CVE-2021-45105 | Medium | 5.9 | 100% | - | Fix |
| CVE-2021-44228 | Critical | 10.0 | 100% | KEV + Ransom | Fix |
| CVE-2021-21985 | Critical | 9.8 | 100% | KEV + Ransom | Fix |
| CVE-2018-7600 | Critical | 9.8 | 100% | KEV + Ransom | Fix |
| CVE-2020-3452 | High | 7.5 | 100% | KEV | Fix |
Embed a live status badge for CVE-2026-26952
Markdown
[](https://tridentstack.com/cve/CVE-2026-26952)HTML
<a href="https://tridentstack.com/cve/CVE-2026-26952"><img src="https://tridentstack.com/cve/badge/CVE-2026-26952.svg" alt="CVE-2026-26952"></a>Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-03-12.