Stored HTML Injection Vulnerability in Pi-hole Admin Interface by Pi-hole
CVE-2026-26953

5.4MEDIUM

Key Information:

Vendor

Pi-hole

Status
Web
Vendor
CVE Published:
19 February 2026

What is CVE-2026-26953?

The Pi-hole Admin Interface, used for managing the Pi-hole ad blocking application, contains a Stored HTML Injection flaw in the active sessions table on the API settings page. This vulnerability allows authenticated attackers to inject arbitrary HTML code, which can be executed in the browsers of administrators visiting the affected page. Attackers can leverage tools such as curl or Burp Suite to submit requests with malicious HTML embedded in the X-Forwarded-For header. While the Content Security Policy implemented by Pi-hole limits the impact to pure HTML injection, it still poses a significant security risk. The issue has been addressed in version 6.4.1.

Affected Version(s)

web < 6.4.1

References

https://github.com/pi-hole/web/security/advisories/GHSA-8...
x_refsource_CONFIRM
https://github.com/pi-hole/web/commit/1a0c6f4fe6d0116fd28...
x_refsource_MISC
https://github.com/pi-hole/web/releases/tag/v6.4.1
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.