CVE-2026-26953

Name of the Vulnerable Software and Affected Versions Pi-hole versions 6.0 through 6.4.0

Description Pi-hole Admin Interface, a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application, contains a Stored HTML Injection issue in the active sessions table on the API settings page. An attacker with valid credentials can inject arbitrary HTML code that will be rendered in the browser of any administrator who visits the active sessions page. The rowCallback function uses the data.x forwarded for value, which is directly concatenated into an HTML string and inserted into the Document Object Model (DOM) using jQuery’s .html() method. This allows malicious HTML tags within the X-Forwarded-For header to be parsed and rendered by the browser. Attackers can use tools like curl, wget, Python requests, Burp Suite, or JavaScript fetch() to send authentication requests with a crafted X-Forwarded-For header. The Content Security Policy (CSP) implemented by Pi-hole blocks inline JavaScript, limiting the impact to HTML injection only.

Recommendations Update Pi-hole to version 6.4.1 or later.