Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-26953

CVE-2026-26953: Pi-hole Web Interface XSS Vulnerability

CVE-2026-26953 is a stored HTML injection vulnerability in Pi-hole Web Interface that lets attackers inject malicious HTML via X-Forwarded-For headers. This article covers the technical details, affected versions, and mitigations.

Updated:

CVE-2026-26953 Overview

CVE-2026-26953 is a stored HTML injection vulnerability in the Pi-hole Admin Interface, the web management console for the Pi-hole network-level ad and tracker blocking application. The flaw affects versions 6.0 and above and resides in the active sessions table on the API settings page. An authenticated attacker can submit a crafted X-Forwarded-For header during authentication, which is later rendered as HTML in the administrator's browser. Pi-hole's Content Security Policy (CSP) blocks inline JavaScript, so the impact is limited to HTML injection without script execution. The issue is resolved in version 6.4.1.

Critical Impact

Authenticated attackers can persistently inject arbitrary HTML into the admin interface, enabling content spoofing and phishing against Pi-hole administrators.

Affected Products

  • Pi-hole Web Interface 6.0
  • Pi-hole Web Interface versions above 6.0 and below 6.4.1
  • Pi-hole Admin Interface API settings page (active sessions table)

Discovery Timeline

  • 2026-02-19 - CVE-2026-26953 published to NVD
  • 2026-03-12 - Last updated in NVD database

Technical Details for CVE-2026-26953

Vulnerability Analysis

The vulnerability is a stored HTML injection issue [CWE-79] combined with improper input validation [CWE-20]. The active sessions table on the API settings page uses a rowCallback function that reads the data.x_forwarded_for field. The function concatenates that value directly into an HTML string and inserts the result into the DOM using jQuery's .html() method.

Because .html() parses content as HTML rather than text, any tags supplied in the header are rendered by the administrator's browser. The injection is stored, so it triggers each time an administrator views the sessions page. Pi-hole enforces a Content Security Policy that blocks inline JavaScript, which prevents direct script execution. Attackers can still inject styled markup, fake login forms, hyperlinks, and other HTML elements to mislead administrators.

Root Cause

The root cause is unsafe DOM insertion of untrusted input. The client-side code treats the attacker-controlled X-Forwarded-For value as trusted HTML rather than as text. Using .text() or proper HTML encoding would have prevented the injection. The server also accepts the header value without validating that it conforms to an IP address format.

Attack Vector

An attacker requires valid credentials to authenticate against the Pi-hole API. The attacker sends an authentication request with an X-Forwarded-For header containing HTML markup instead of an IP address. Common tools such as curl, wget, Python requests, Burp Suite, or browser fetch() can craft the request. The malicious value is stored as part of the session record and rendered each time an administrator opens the active sessions view.

The vulnerability is described in prose only. See the GitHub Security Advisory GHSA-8rw8-vjgp-rwj6 for full technical details.

Detection Methods for CVE-2026-26953

Indicators of Compromise

  • Authentication requests containing HTML tags or angle brackets in the X-Forwarded-For header
  • Session records in the Pi-hole API where the stored client IP value is not a valid IPv4 or IPv6 address
  • Unexpected markup, iframes, or anchor tags appearing in the active sessions table of the admin interface

Detection Strategies

  • Review web server and reverse proxy access logs for requests to the Pi-hole authentication endpoint with non-IP values in X-Forwarded-For
  • Inspect the active sessions table contents directly via the API and flag entries whose x_forwarded_for field fails IP address validation
  • Monitor for repeated failed or successful logins from accounts that submit malformed forwarding headers

Monitoring Recommendations

  • Enable verbose logging on any upstream proxy fronting the Pi-hole admin interface to capture full request headers
  • Alert on administrator accounts authenticating from unusual locations or with unexpected header content
  • Track configuration changes and patch state of the Pi-hole web interface to confirm version 6.4.1 or later is deployed

How to Mitigate CVE-2026-26953

Immediate Actions Required

  • Upgrade the Pi-hole web interface to version 6.4.1 or later, which contains the official fix
  • Rotate Pi-hole administrator credentials if shared or low-complexity passwords are in use
  • Restrict network access to the Pi-hole admin interface so only trusted management hosts can reach it

Patch Information

The maintainers fixed the vulnerability in GitHub Release v6.4.1. The corrective change is published in GitHub Commit 1a0c6f4f and documented in GitHub Security Advisory GHSA-8rw8-vjgp-rwj6.

Workarounds

  • Place the Pi-hole admin interface behind a reverse proxy that strips or validates the X-Forwarded-For header before it reaches Pi-hole
  • Limit Pi-hole administrative accounts to a minimum set of trusted users until the upgrade is applied
  • Avoid exposing the Pi-hole admin interface to untrusted networks or the public internet
bash
# Example nginx directive to sanitize X-Forwarded-For before proxying to Pi-hole
proxy_set_header X-Forwarded-For $remote_addr;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.