CVE-2026-26952

Name of the Vulnerable Software and Affected Versions Pi-hole versions 6.4 and below

Description Pi-hole Admin Interface, a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application, is susceptible to stored HTML injection through the local DNS records configuration page. An authenticated administrator can inject code that is stored in the Pi-hole configuration and rendered when the DNS records table is viewed. The populateDataTable() function includes a data variable containing the full DNS record value, which is directly inserted into the data-tag HTML attribute without proper escaping or sanitization. An attacker can exploit this by supplying a value containing double quotes (") to prematurely close the data-tag attribute and inject additional HTML attributes. The impact is limited due to Pi-hole’s Content Security Policy (CSP) that blocks inline JavaScript.

Recommendations Update to version 6.4.1 or later.