Web Interface

2 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-26953 MEDIUM POC PATCH This Month

Stored HTML injection in Pi-hole Admin Interface versions 6.0+ allows authenticated attackers to inject arbitrary HTML into the active sessions table via the X-Forwarded-For header, which is unsafely rendered when administrators view the API settings page. Public exploit code exists for this vulnerability, affecting administrators who manage Pi-hole instances. An attacker with valid credentials can exploit this to perform client-side attacks against other administrators viewing the compromised session data.

Python Jquery Web Interface
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-26952 MEDIUM PATCH This Month

Pi-hole Admin Interface versions 6.4 and below allow authenticated administrators to inject stored HTML code through improperly sanitized DNS record inputs, enabling persistent attacks visible to any user viewing the DNS records table. The vulnerability exists in the populateDataTable() function which fails to escape special characters in user-supplied data before inserting it into HTML attributes. An attacker with admin privileges can inject malicious code that executes each time the DNS records page is accessed.

Dns Web Interface
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-26953
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Stored HTML injection in Pi-hole Admin Interface versions 6.0+ allows authenticated attackers to inject arbitrary HTML into the active sessions table via the X-Forwarded-For header, which is unsafely rendered when administrators view the API settings page. Public exploit code exists for this vulnerability, affecting administrators who manage Pi-hole instances. An attacker with valid credentials can exploit this to perform client-side attacks against other administrators viewing the compromised session data.

Python Jquery Web Interface
NVD GitHub
CVE-2026-26952
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Pi-hole Admin Interface versions 6.4 and below allow authenticated administrators to inject stored HTML code through improperly sanitized DNS record inputs, enabling persistent attacks visible to any user viewing the DNS records table. The vulnerability exists in the populateDataTable() function which fails to escape special characters in user-supplied data before inserting it into HTML attributes. An attacker with admin privileges can inject malicious code that executes each time the DNS records page is accessed.

Dns Web Interface
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy