CVE-2026-26952

{"id": "CVE-2026-26952", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2026-02-19T23:16:26.243", "references": [{"url": "https://github.com/pi-hole/web/commit/d328f143718022d82dc94c8751121ca41be3b996", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pi-hole/web/releases/tag/v6.4.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pi-hole/web/security/advisories/GHSA-6xp4-jw73-f4qp", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}]}], "descriptions": [{"lang": "en", "value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through the local DNS records configuration page, which allows an authenticated administrator to inject code that is stored in the Pi-hole configuration and rendered every time the DNS records table is viewed. The populateDataTable() function contains a data variable with the full DNS record value exactly as entered by the user and returned by the API. This value is inserted directly into the data-tag HTML attribute without any escaping or sanitization of special characters. When an attacker supplies a value containing double quotes (\"), they can prematurely \u201cclose\u201d the data-tag attribute and inject additional HTML attributes into the element. Since Pi-hole implements a Content Security Policy (CSP) that blocks inline JavaScript, the impact is limited. This issue has been fixed in version 6.4.1."}, {"lang": "es", "value": "La Interfaz de administraci\u00f3n de Pi-hole es una interfaz web para gestionar Pi-hole, una aplicaci\u00f3n de bloqueo de anuncios y rastreadores de internet a nivel de red. Las versiones 6.4 e inferiores son vulnerables a la inyecci\u00f3n de HTML almacenado a trav\u00e9s de la p\u00e1gina de configuraci\u00f3n de registros DNS locales, lo que permite a un administrador autenticado inyectar c\u00f3digo que se almacena en la configuraci\u00f3n de Pi-hole y se renderiza cada vez que se visualiza la tabla de registros DNS. La funci\u00f3n populateDataTable() contiene una variable de datos con el valor completo del registro DNS exactamente como lo introdujo el usuario y devuelto por la API. Este valor se inserta directamente en el atributo HTML data-tag sin ning\u00fan escape o sanitizaci\u00f3n de caracteres especiales. Cuando un atacante proporciona un valor que contiene comillas dobles (\"), pueden 'cerrar' prematuramente el atributo data-tag e inyectar atributos HTML adicionales en el elemento. Dado que Pi-hole implementa una Pol\u00edtica de Seguridad de Contenido (CSP) que bloquea JavaScript en l\u00ednea, el impacto es limitado. Este problema ha sido solucionado en la versi\u00f3n 6.4.1."}], "lastModified": "2026-03-12T16:33:01.970", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0BC7CDAC-AB62-4F32-B3C5-34AC7EE1953F", "versionEndExcluding": "6.4.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}