Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentials to inject arbitrary HTML code that will be rendered in the browser of any administrator who visits the active sessions page. The rowCallback function contains the value data.x_forwarded_for, which is directly concatenated into an HTML string and inserted into the DOM using jQuery’s .html() method. This method interprets the content as HTML, which means that any HTML tags present in the value will be parsed and rendered by the browser. An attacker can use common tools such as curl, wget, Python requests, Burp Suite, or even JavaScript fetch() to send an authentication request with an X-Forwarded-For header that contains malicious HTML code instead of a legitimate IP address. Since Pi-hole implements a Content Security Policy (CSP) that blocks inline JavaScript, the impact is limited to pure HTML injection without the ability to execute scripts. This issue has been fixed in version 6.4.1.
Published: 2026-02-19
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored HTML Injection via X-Forwarded-For header
Action: Apply Patch
AI Analysis

Impact

Pi‑hole’s web interface has a stored HTML injection flaw in the active sessions table on the API settings page. The application concatenates the value of the X‑Forwarded‑For header into an HTML string that is rendered with jQuery’s .html() method. Because the site implements a Content Security Policy that blocks inline JavaScript, an attacker cannot run scripts, but any injected HTML will be rendered in the browser of an administrator who views the active sessions page. This allows a malicious actor to display arbitrary markup, potentially phishing or misleading users, but does not directly provide code execution or data exfiltration.

Affected Systems

Pi‑hole admin interface versions ranging from 6.0 up to, but not including, 6.4.1 are vulnerable. The issue has been fixed in version 6.4.1, which is available on the Pi‑hole GitHub releases page.

Risk and Exploitability

The vulnerability has a CVSS score of 5.4, indicating moderate severity, and an EPSS score of less than 1 %, suggesting a low but non‑zero probability of exploitation. The attacker must be authenticated and possess valid login credentials to inject malicious HTML via the X‑Forwarded‑For header. Because the site enforces a CSP that blocks inline scripts, the potential impact is limited to pure markup injection; however, an attacker could still trick administrators into clicking misleading links or interacting with spoofed UI elements.

Generated by OpenCVE AI on April 17, 2026 at 17:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pi‑hole to version 6.4.1 (or later) to apply the fixed code.
  • Restrict access to the web interface so that only trusted administrators can log in, reducing the exposure surface for authenticated injection.
  • Enable or enforce a strict Content‑Security‑Policy on the server or reverse‑proxy so that even if HTML content were injected, script execution would remain blocked.

Generated by OpenCVE AI on April 17, 2026 at 17:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Pi-hole web Interface
CPEs cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*
Vendors & Products Pi-hole web Interface

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Pi-hole
Pi-hole web
Vendors & Products Pi-hole
Pi-hole web

Thu, 19 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentials to inject arbitrary HTML code that will be rendered in the browser of any administrator who visits the active sessions page. The rowCallback function contains the value data.x_forwarded_for, which is directly concatenated into an HTML string and inserted into the DOM using jQuery’s .html() method. This method interprets the content as HTML, which means that any HTML tags present in the value will be parsed and rendered by the browser. An attacker can use common tools such as curl, wget, Python requests, Burp Suite, or even JavaScript fetch() to send an authentication request with an X-Forwarded-For header that contains malicious HTML code instead of a legitimate IP address. Since Pi-hole implements a Content Security Policy (CSP) that blocks inline JavaScript, the impact is limited to pure HTML injection without the ability to execute scripts. This issue has been fixed in version 6.4.1.
Title Pi-hole Web Interface has Stored HTML Injection via X-Forwarded-For Header in Active Sessions Table
Weaknesses CWE-116
CWE-20
CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Pi-hole Web Web Interface
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:39:52.782Z

Reserved: 2026-02-16T22:20:28.611Z

Link: CVE-2026-26953

cve-icon Vulnrichment

Updated: 2026-02-20T15:27:20.608Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T23:16:26.413

Modified: 2026-03-12T16:28:40.273

Link: CVE-2026-26953

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:00:12Z

Weaknesses