HTML Injection Vulnerability in PowerDNS DNSdist Dashboard
CVE-2026-0396

3.1LOW

Key Information:

Vendor: Powerdns
Status: Dnsdist
Vendor: CVE Published:; 31 March 2026

What is CVE-2026-0396?

An HTML injection vulnerability in PowerDNS DNSdist can allow attackers to send specially crafted DNS queries to the web dashboard. This issue arises when domain-based dynamic rules are enabled through the DynBlockRulesGroup functions, permitting unauthorized HTML content injection into the dashboard. Attackers leveraging this vulnerability can manipulate the dashboard's display, potentially leading to further security issues or unauthorized access.

Affected Version(s)

DNSdist 1.9.0 < 1.9.12

DNSdist 2.0.0 < 2.0.3

References

https://www.dnsdist.org/security-advisories/powerdns-advi...

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 31, 2026
Vulnerability Reserved
Nov 28, 2025

Credit

Aisle Research

CVE-2026-0396 Data

JSON

Powerdns

What is CVE-2026-0396?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit