Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through the local DNS records configuration page, which allows an authenticated administrator to inject code that is stored in the Pi-hole configuration and rendered every time the DNS records table is viewed. The populateDataTable() function contains a data variable with the full DNS record value exactly as entered by the user and returned by the API. This value is inserted directly into the data-tag HTML attribute without any escaping or sanitization of special characters. When an attacker supplies a value containing double quotes ("), they can prematurely “close” the data-tag attribute and inject additional HTML attributes into the element. Since Pi-hole implements a Content Security Policy (CSP) that blocks inline JavaScript, the impact is limited. This issue has been fixed in version 6.4.1.
Published: 2026-02-19
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored HTML Injection
Action: Patch
AI Analysis

Impact

Pi‑hole Admin Interface allows an authenticated administrator to submit local DNS record values that contain double quotes, causing the data‑tag attribute to close prematurely. This unsanitized input is stored in the configuration and rendered each time the records table is displayed, enabling stored HTML injection. Because Pi‑hole implements a Content Security Policy that forbids inline JavaScript, the risk of script execution is reduced, yet the vulnerability still permits malicious HTML elements to appear on the page.

Affected Systems

All Pi‑hole Web Interface deployments running version 6.4 or earlier are vulnerable. The vulnerability requires administrative authentication and is typically limited to users on the local network that can manage Pi‑hole through its web interface.

Risk and Exploitability

The vulnerability has a CVSS score of 5.4, indicating moderate severity, and an EPSS score of less than 1 %, suggesting a low probability of exploitation at the time of analysis. It is not listed in the CISA KEV catalog. Exploitation demands that an attacker first obtain authenticated administrator access to the Pi‑hole interface, after which the injected HTML is rendered during normal browsing of the DNS records table.

Generated by OpenCVE AI on April 18, 2026 at 11:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pi‑hole to version 6.4.1 or later, which removes the unsanitized data‑tag insertion.
  • If an upgrade cannot be performed immediately, restrict or disable the ability to edit local DNS records for administrators until the update is applied.
  • Subscribe to Pi‑hole security advisories and apply any subsequent patches promptly.

Generated by OpenCVE AI on April 18, 2026 at 11:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Pi-hole web Interface
CPEs cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*
Vendors & Products Pi-hole web Interface

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Pi-hole
Pi-hole web
Vendors & Products Pi-hole
Pi-hole web

Thu, 19 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
Description Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through the local DNS records configuration page, which allows an authenticated administrator to inject code that is stored in the Pi-hole configuration and rendered every time the DNS records table is viewed. The populateDataTable() function contains a data variable with the full DNS record value exactly as entered by the user and returned by the API. This value is inserted directly into the data-tag HTML attribute without any escaping or sanitization of special characters. When an attacker supplies a value containing double quotes ("), they can prematurely “close” the data-tag attribute and inject additional HTML attributes into the element. Since Pi-hole implements a Content Security Policy (CSP) that blocks inline JavaScript, the impact is limited. This issue has been fixed in version 6.4.1.
Title Pi-hole Web Interface has Stored HTML Injection via Local DNS Records (CNAME/Hosts) in data-tag Attribute
Weaknesses CWE-116
CWE-20
CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Pi-hole Web Web Interface
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:40:28.882Z

Reserved: 2026-02-16T22:20:28.611Z

Link: CVE-2026-26952

cve-icon Vulnrichment

Updated: 2026-02-20T15:27:23.987Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T23:16:26.243

Modified: 2026-03-12T16:33:01.970

Link: CVE-2026-26952

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses