Description
An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.
Published: 2026-03-31
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: HTML injection into DNSdist web dashboard
Action: Patch
AI Analysis

Impact

The vulnerability allows an attacker to inject arbitrary HTML content into the internal web dashboard of DNSdist by sending specially crafted DNS queries. This cross‑site scripting flaw can be used to display malicious web pages within the dashboard interface, potentially leading to phishing or credential theft within the management console. The weakness is due to insufficient sanitization of input processed by the dashboard rendering component (CWE‑80).

Affected Systems

The flaw affects PowerDNS DNSdist instances that have domain‑based dynamic rules enabled through DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI. No specific version numbers are supplied, so any release where these features are active may be impacted.

Risk and Exploitability

The vendor assigns a CVSS score of 3.1, indicating low impact, and the EPSS score is below 1 %, suggesting that exploitation is unlikely at present. The flaw is not listed in the CISA KEV catalog. Exploitation requires an attacker to target a DNSdist server over the network and send crafted DNS queries that trigger the dynamic rule processing; thus, the attack vector is remote network. Since no publicly disclosed exploits are known, the current risk remains moderate but should be mitigated promptly.

Generated by OpenCVE AI on March 31, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest DNSdist update that addresses the HTML injection issue
  • Disable domain‑based dynamic rules (setSuffixMatchRule or setSuffixMatchRuleFFI) if an immediate update is not possible

Generated by OpenCVE AI on March 31, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:*

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-80
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.
Title HTML injection in the web dashboard
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-31T13:21:08.549Z

Reserved: 2025-11-28T09:18:05.355Z

Link: CVE-2026-0396

cve-icon Vulnrichment

Updated: 2026-03-31T13:21:00.471Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T12:16:27.190

Modified: 2026-04-13T12:46:34.270

Link: CVE-2026-0396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:46Z

Weaknesses