CVE-2026-26953: Pi-hole Admin Interface XSS Vulnerability

CVE-2026-26953 Overview

CVE-2026-26953 is a Stored HTML Injection vulnerability affecting the Pi-hole Admin Interface, a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. The vulnerability exists in versions 6.0 and above, specifically in the active sessions table located on the API settings page. An attacker with valid credentials can inject arbitrary HTML code that will be rendered in the browser of any administrator who visits the active sessions page.

Critical Impact

Authenticated attackers can inject persistent HTML content into the Pi-hole admin interface, potentially enabling phishing attacks, UI defacement, or social engineering against other administrators viewing the active sessions page.

Affected Products

• Pi-hole Admin Interface (web) versions 6.0 through 6.4.0

Discovery Timeline

• 2026-02-19 - CVE-2026-26953 published to NVD
• 2026-02-19 - Last updated in NVD database

Technical Details for CVE-2026-26953

Vulnerability Analysis

This vulnerability is classified as CWE-20 (Improper Input Validation) and manifests in the rowCallback function within the active sessions table functionality. The function processes the data.x_forwarded_for value, which represents the X-Forwarded-For HTTP header from authentication requests. This value is directly concatenated into an HTML string and inserted into the DOM using jQuery's .html() method, which interprets the content as HTML rather than treating it as plain text.

When administrators view the active sessions page, any HTML tags present in the stored X-Forwarded-For values will be parsed and rendered by the browser. While Pi-hole implements a Content Security Policy (CSP) that blocks inline JavaScript execution, the vulnerability still allows for pure HTML injection without script execution capabilities.

Root Cause

The root cause is improper input validation and unsafe DOM manipulation. The application fails to sanitize or encode the X-Forwarded-For header value before inserting it into the DOM. By using jQuery's .html() method instead of .text() or proper HTML encoding, user-controlled input is interpreted as HTML markup rather than being displayed as literal text.

Attack Vector

An attacker with valid Pi-hole credentials can exploit this vulnerability by sending authentication requests with crafted X-Forwarded-For headers containing malicious HTML code instead of legitimate IP addresses. Common tools such as curl, wget, Python requests, Burp Suite, or JavaScript fetch() can be used to send these malicious requests.

The attack requires network access and valid credentials (low privileges), but once injected, the malicious HTML persists in the active sessions table and affects any administrator who subsequently views that page. While script execution is blocked by CSP, attackers could inject phishing forms, misleading content, or UI elements designed to deceive administrators.

Detection Methods for CVE-2026-26953

Indicators of Compromise

• Unusual or malformed entries in the active sessions table containing HTML tags
• X-Forwarded-For header values that contain angle brackets (<, >) or HTML element names
• Authentication logs showing requests with non-IP-address content in the X-Forwarded-For header
• User reports of unexpected visual elements or forms on the API settings page

Detection Strategies

• Monitor authentication request logs for X-Forwarded-For headers containing HTML markup patterns
• Implement web application firewall (WAF) rules to detect and block HTML tags in header values
• Review active sessions data for entries that do not conform to valid IP address formats
• Configure SentinelOne Singularity to monitor for anomalous web traffic patterns targeting Pi-hole instances

Monitoring Recommendations

• Enable detailed logging for the Pi-hole web interface to capture all authentication attempts
• Set up alerts for X-Forwarded-For header values exceeding typical IP address length
• Periodically audit the active sessions table for suspicious entries
• Monitor for multiple authentication attempts from the same source with varying X-Forwarded-For values

How to Mitigate CVE-2026-26953

Immediate Actions Required

• Upgrade Pi-hole Admin Interface (web) to version 6.4.1 or later immediately
• Review active sessions for any suspicious entries containing HTML markup
• Restrict access to the Pi-hole admin interface to trusted networks only
• Audit recent authentication logs for signs of exploitation attempts

Patch Information

This vulnerability has been fixed in Pi-hole Admin Interface version 6.4.1. The fix addresses the improper handling of the X-Forwarded-For header value in the rowCallback function. Organizations should update to this version or later to remediate the vulnerability.

For detailed patch information, see the GitHub Commit Update and download the patched version from the GitHub Release Version 6.4.1.

Additional technical details are available in the GitHub Security Advisory GHSA-8rw8-vjgp-rwj6.

Workarounds

• Limit admin interface access to localhost or trusted management networks via firewall rules
• Implement a reverse proxy with header sanitization to filter malicious X-Forwarded-For values
• Restrict Pi-hole user accounts to minimize the number of credentials that could be used for exploitation
• Monitor the active sessions page manually and clear suspicious entries until patching is possible

# Example: Restrict Pi-hole admin access to localhost using iptables
iptables -A INPUT -p tcp --dport 80 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP