Stored HTML Injection Vulnerability in Pi-hole Admin Interface
CVE-2026-26952

5.4MEDIUM

Key Information:

Vendor

Pi-hole

Status
Web
Vendor
CVE Published:
19 February 2026

What is CVE-2026-26952?

The Pi-hole Admin Interface, used for managing the Pi-hole application, contains a vulnerability in versions 6.4 and below that allows for stored HTML injection. Authenticated administrators can exploit this flaw through the local DNS records configuration page by entering malicious code that gets stored in the Pi-hole configuration. This occurs due to the improper handling of user input in the populateDataTable() function, where input is directly inserted into HTML attributes without sufficient escaping or sanitization. While the Pi-hole's Content Security Policy (CSP) mitigates the execution of inline JavaScript, the vulnerability still poses a risk for injecting additional HTML attributes, potentially leading to further security issues. The vulnerability has been addressed in version 6.4.1.

Affected Version(s)

web < 6.4.1

References

https://github.com/pi-hole/web/security/advisories/GHSA-6...
x_refsource_CONFIRM
https://github.com/pi-hole/web/commit/d328f143718022d82dc...
x_refsource_MISC
https://github.com/pi-hole/web/releases/tag/v6.4.1
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.