CVE-2026-26952 Overview
CVE-2026-26952 is a stored HTML injection vulnerability affecting the Pi-hole Admin Interface, the web-based management console for Pi-hole network-level ad and tracker blocking application. Versions 6.4 and below contain improper input validation in the local DNS records configuration page, allowing authenticated administrators to inject malicious HTML code that persists in the Pi-hole configuration and executes whenever the DNS records table is viewed.
Critical Impact
Authenticated administrators can inject persistent HTML code through DNS record values, potentially enabling UI manipulation, phishing attacks within the admin interface, or exploitation of other authenticated users viewing the DNS records table.
Affected Products
- Pi-hole Admin Interface version 6.4 and earlier
- Pi-hole Web Interface (pi-hole/web repository)
Discovery Timeline
- 2026-02-19 - CVE-2026-26952 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-26952
Vulnerability Analysis
The vulnerability exists in the populateDataTable() function within the Pi-hole Admin Interface. When processing DNS record entries, the function retrieves the full DNS record value exactly as entered by the user through the API. This value is then inserted directly into the data-tag HTML attribute without any escaping or sanitization of special characters. The lack of output encoding creates an injection point where user-controlled data becomes part of the HTML document structure.
When an attacker supplies a DNS record value containing double quote characters ("), they can prematurely close the data-tag attribute and inject additional HTML attributes or elements. While Pi-hole's implementation of a Content Security Policy (CSP) that blocks inline JavaScript significantly limits the attack surface, the HTML injection can still be leveraged for UI manipulation, defacement, or social engineering attacks against other administrators accessing the DNS records page.
Root Cause
The root cause is classified as CWE-20 (Improper Input Validation). The vulnerable code directly interpolates user-supplied data into HTML template strings without proper encoding. Specifically, the data-tag="${data}" template literal allows attribute breakout when the data variable contains quote characters, enabling injection of arbitrary HTML attributes.
Attack Vector
The attack requires network access and low-privilege authentication (administrator access to the Pi-hole interface). An attacker with admin credentials can:
- Navigate to the local DNS records configuration page
- Create a new DNS record with a malicious payload containing double quotes
- The injected HTML is stored in the Pi-hole configuration
- Any administrator subsequently viewing the DNS records table will have the injected HTML rendered in their browser
The security patch addresses this vulnerability by switching from string concatenation to DOM element creation using document.createElement(), which properly handles attribute values through the dataset API:
},
rowCallback(row, data) {
$(row).attr("data-id", data);
- const button = `<button type="button"
- class="btn btn-danger btn-xs"
- id="delete${endpoint}${utils.hexEncode(data)}"
- data-tag="${data}"
- data-type="${endpoint}"
- ${setByEnv ? "disabled" : ""}>
- <span class="far fa-trash-alt"></span>
- </button>`;
+
+ // Create delete button
+ const button = document.createElement("button");
+
+ // Set button ID and add CSS classes
+ button.id = `delete${endpoint}${utils.hexEncode(data)}`
+ button.classList.add("btn", "btn-danger", "btn-xs");
+
+ // Set data-* attributes
+ button.dataset.type = endpoint;
+ button.dataset.tag = data;
+
+ // Disable the button if set by environment variables
+ button.disabled = setByEnv ? true : false;
+
+ // Add a trash icon to the button
+ const iconSpan = document.createElement("span");
+ iconSpan.classList.add("far", "fa-trash-alt");
+ button.append(iconSpan);
Source: GitHub Commit Update
Detection Methods for CVE-2026-26952
Indicators of Compromise
- DNS record entries containing double quote characters (") followed by HTML attribute syntax (e.g., onclick, onmouseover, style)
- Unusual or unexpected HTML elements appearing in the DNS records table view
- Log entries showing DNS record creation with suspicious payloads containing angle brackets (<, >) or attribute injection patterns
Detection Strategies
- Review Pi-hole DNS record configurations for entries containing HTML special characters or attribute injection patterns
- Monitor admin interface access logs for unusual patterns of DNS record modifications
- Implement web application firewall (WAF) rules to detect HTML injection attempts in form submissions to the DNS records API endpoint
- Audit administrator account activity for unexpected DNS record changes
Monitoring Recommendations
- Enable verbose logging on the Pi-hole Admin Interface to capture DNS record modification events
- Set up alerting for DNS record entries containing potentially malicious characters (quotes, angle brackets, event handlers)
- Regularly review the /etc/pihole/ configuration files for anomalous entries
- Monitor browser console errors that may indicate failed injection attempts blocked by CSP
How to Mitigate CVE-2026-26952
Immediate Actions Required
- Upgrade Pi-hole Admin Interface to version 6.4.1 or later immediately
- Review existing DNS records for any suspicious entries containing HTML special characters
- Audit administrator account access and ensure proper access controls are in place
- Consider temporarily restricting admin interface access to trusted networks until patching is complete
Patch Information
The vulnerability has been fixed in Pi-hole Admin Interface version 6.4.1. The fix replaces insecure string-based HTML generation with safe DOM manipulation using document.createElement() and the dataset API, which properly encodes attribute values and prevents HTML injection.
- Fixed Version:6.4.1
- Patch Commit:d328f143718022d82dc94c8751121ca41be3b996
- Release Notes:GitHub Release v6.4.1
- Security Advisory:GHSA-6xp4-jw73-f4qp
Workarounds
- Restrict administrative access to the Pi-hole interface to only trusted users and networks
- Implement network-level access controls (firewall rules, VPN requirements) for accessing the admin interface
- Enable and monitor the existing Content Security Policy, which provides partial mitigation by blocking inline JavaScript execution
- Regularly audit DNS records for suspicious entries until the patch can be applied
# Update Pi-hole to the latest version
pihole -up
# Verify the installed web interface version
pihole -v
# Review DNS records for suspicious entries
cat /etc/pihole/custom.list | grep -E '["<>]'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
