Description
An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.
Published: 2026-03-31
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting on internal dashboard
Action: Apply patch
AI Analysis

Impact

An attacker can send specially crafted DNS queries to a DNSdist instance that has domain‑based dynamic rules enabled. The queries trigger the insertion of arbitrary HTML into the internal web dashboard, a form of cross‑site scripting that can allow the attacker to display malicious content or perform actions in the context of users interacting with the dashboard.

Affected Systems

The vulnerability affects the PowerDNS DNSdist product. No specific versions are listed, so all releases running DNSdist with enabled dynamic rule features are potentially affected.

Risk and Exploitability

With a CVSS score of 3.1, the vulnerability is considered low severity, and its EPSS score is below 1 %, indicating a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to be able to send crafted DNS queries to the DNSdist instance, so it is most relevant for attackers who already have network access to the DNS infrastructure or can influence traffic towards the application.

Generated by OpenCVE AI on April 13, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update DNSdist to the latest version that addresses the HTML injection flaw
  • Disable domain‑based dynamic rule features if they are not required
  • Restrict access to the DNSdist web dashboard to trusted administrators only
  • Configure network firewall or security controls to block external DNS traffic to the dashboard port if not needed

Generated by OpenCVE AI on April 13, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6235-1 dnsdist security update
History

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:*

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-80
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.
Title HTML injection in the web dashboard
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-31T13:21:08.549Z

Reserved: 2025-11-28T09:18:05.355Z

Link: CVE-2026-0396

cve-icon Vulnrichment

Updated: 2026-03-31T13:21:00.471Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T12:16:27.190

Modified: 2026-04-13T12:46:34.270

Link: CVE-2026-0396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:22Z

Weaknesses