Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.
AnalysisAI
HTML injection in DNSdist internal web dashboard allows remote unauthenticated attackers to inject malicious content via crafted DNS queries when domain-based dynamic rules are enabled, requiring user interaction to exploit. This affects all DNSdist versions with vulnerable rule functionality and carries low integrity impact with no confidentiality or availability consequences.
Technical ContextAI
DNSdist is PowerDNS's high-performance DNS load balancer and security appliance. The vulnerability stems from insufficient input validation in the DynBlockRulesGroup functionality, specifically the setSuffixMatchRule and setSuffixMatchRuleFFI methods, which process DNS query data that is subsequently reflected into the internal web dashboard without proper HTML escaping. This allows attackers to inject arbitrary HTML/JavaScript content. The root cause is a classic input validation failure (CWE category: Improper Neutralization of Input During Web Page Generation) where DNS query parameters derived from attacker-controlled sources are rendered into a web interface without sanitization. The CPE cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:* indicates all DNSdist versions are potentially affected when dynamic rules are configured.
RemediationAI
Apply the security update released by PowerDNS in response to this advisory-consult https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html for the specific patched version number and upgrade procedures. As an interim mitigation, disable domain-based dynamic rules (DynBlockRulesGroup:setSuffixMatchRule and DynBlockRulesGroup:setSuffixMatchRuleFFI) if they are not essential to your deployment, or restrict access to the internal web dashboard to trusted networks only. Input validation improvements in the patched version will sanitize DNS-derived data before rendering in the dashboard.
dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for REST API potentially allowing CSRF attack.
PowerDNS dnsdist allows unauthenticated DNS over HTTPS (DoH) queries to bypass access control lists when the early_acl_d
DNSdist fails to validate packet size bounds when rewriting DNS questions or responses via Lua methods (DNSQuestion:chan
An issue has been found in PowerDNS DNSDist before 1.3.3 allowing a remote attacker to craft a DNS query with trailing d
Memory exhaustion in DNSdist allows remote, unauthenticated attackers to trigger denial of service by crafting malicious
Out-of-bounds read in PowerDNS dnsdist allows unauthenticated remote attackers to trigger denial of service or potential
DNSdist instances using custom Lua code can be crashed via denial of service when the DNSQuestion:getEDNSOptions method
Denial of service in dnsdist via crafted PRSD (PowerDNS Response Detection) queries causes assertion failure and service
dnsdist's Discovery of Designated Resolvers (DDR) upgrade mechanism allows a rogue backend to send a crafted SVCB respon
dnsdist can experience a denial-of-service condition through query-response mismatching when a client sends precisely ti
Same weakness CWE-80 – Basic XSS
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | (unfixed) | end-of-life |
| bookworm | fixed | (unfixed) | end-of-life |
| trixie | vulnerable | 1.9.10-1+deb13u1 | - |
| forky | vulnerable | 2.0.2-1 | - |
| sid | fixed | 2.0.3-1 | - |
| (unstable) | fixed | 2.0.3-1 | - |
SUSE
Severity: Low| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Retail Branch Server LTS 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE CaaS Platform 4.0 | Fixed |
| SUSE Enterprise Storage 7.1 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17361