CVE-2026-26953

{"id": "CVE-2026-26953", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2026-02-19T23:16:26.413", "references": [{"url": "https://github.com/pi-hole/web/commit/1a0c6f4fe6d0116fd2846b2adaae95996b7f194d", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pi-hole/web/releases/tag/v6.4.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pi-hole/web/security/advisories/GHSA-8rw8-vjgp-rwj6", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentials to inject arbitrary HTML code that will be rendered in the browser of any administrator who visits the active sessions page. The rowCallback function contains the value data.x_forwarded_for, which is directly concatenated into an HTML string and inserted into the DOM using jQuery\u2019s .html() method. This method interprets the content as HTML, which means that any HTML tags present in the value will be parsed and rendered by the browser. An attacker can use common tools such as curl, wget, Python requests, Burp Suite, or even JavaScript fetch() to send an authentication request with an X-Forwarded-For header that contains malicious HTML code instead of a legitimate IP address. Since Pi-hole implements a Content Security Policy (CSP) that blocks inline JavaScript, the impact is limited to pure HTML injection without the ability to execute scripts. This issue has been fixed in version 6.4.1."}, {"lang": "es", "value": "La Interfaz de administraci\u00f3n de Pi-hole es una interfaz web para gestionar Pi-hole, una aplicaci\u00f3n de bloqueo de anuncios y rastreadores de internet a nivel de red. Las versiones 6.0 y superiores tienen una vulnerabilidad de inyecci\u00f3n HTML almacenada en la tabla de sesiones activas ubicada en la p\u00e1gina de configuraci\u00f3n de la API, permitiendo a un atacante con credenciales v\u00e1lidas inyectar c\u00f3digo HTML arbitrario que se renderizar\u00e1 en el navegador de cualquier administrador que visite la p\u00e1gina de sesiones activas. La funci\u00f3n rowCallback contiene el valor data.x_forwarded_for, que se concatena directamente en una cadena HTML y se inserta en el DOM utilizando el m\u00e9todo .html() de jQuery. Este m\u00e9todo interpreta el contenido como HTML, lo que significa que cualquier etiqueta HTML presente en el valor ser\u00e1 analizada y renderizada por el navegador. Un atacante puede usar herramientas comunes como curl, wget, Python requests, Burp Suite, o incluso JavaScript fetch() para enviar una solicitud de autenticaci\u00f3n con una cabecera X-Forwarded-For que contiene c\u00f3digo HTML malicioso en lugar de una direcci\u00f3n IP leg\u00edtima. Dado que Pi-hole implementa una Pol\u00edtica de Seguridad de Contenido (CSP) que bloquea JavaScript en l\u00ednea, el impacto se limita a la inyecci\u00f3n de HTML puro sin la capacidad de ejecutar scripts. Este problema ha sido solucionado en la versi\u00f3n 6.4.1."}], "lastModified": "2026-03-12T16:28:40.273", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A4691B2-6ECB-42D3-9E31-3D2CCE17A62D", "versionEndExcluding": "6.4.1", "versionStartIncluding": "6.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}