CVE-2026-26952
📋 TL;DR
CVE-2026-26952 is a stored HTML injection vulnerability in Pi-hole Admin Interface versions 6.4 and below. Authenticated administrators can inject malicious HTML attributes through the local DNS records configuration page, which persists in the configuration and renders each time the DNS records table is viewed. The impact is limited by Pi-hole's Content Security Policy that blocks inline JavaScript execution.
💻 Affected Systems
- Pi-hole Admin Interface
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious administrator could inject HTML attributes that modify the interface appearance or behavior, potentially creating phishing elements or disrupting the admin interface functionality.
Likely Case
Limited HTML attribute injection that could alter table appearance or create misleading interface elements, but no code execution due to CSP restrictions.
If Mitigated
Only visual interface modifications with no security impact beyond potential confusion or minor interface disruption.
🎯 Exploit Status
Exploitation requires authenticated administrator access to the Pi-hole web interface and knowledge of HTML attribute injection techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.1
Vendor Advisory: https://github.com/pi-hole/web/security/advisories/GHSA-6xp4-jw73-f4qp
Restart Required: No
Instructions:
1. Update Pi-hole web interface to version 6.4.1 or later. 2. Run 'pihole -up' to update Pi-hole components. 3. Clear browser cache to ensure new interface loads.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit administrative access to trusted users only and implement strong authentication controls.
Disable Web Interface
linuxTemporarily disable the web interface if not required, using Pi-hole CLI for management.
sudo pihole disable
🧯 If You Can't Patch
- Implement strict access controls to limit who has administrative access to the Pi-hole interface.
- Monitor DNS configuration changes and audit administrative actions regularly.
🔍 How to Verify
Check if Vulnerable:
Check Pi-hole web interface version in Settings > System or run 'pihole -v' and check web interface version.Check Version:
pihole -v | grep 'Web Interface'Verify Fix Applied:
Verify web interface version is 6.4.1 or later and test DNS record input with special characters to ensure proper escaping.📡 Detection & Monitoring
Log Indicators:
- Unusual DNS record entries containing HTML special characters or quotes
- Multiple configuration changes from same admin session
Network Indicators:
- Unusual HTTP requests to DNS configuration endpoints with payloads containing quotes or HTML attributes
SIEM Query:
source="pihole" AND (message="*DNS*record*" AND (message="*\"*" OR message="*<*" OR message="*>*"))