Pi-hole is a popular network-level ad and tracker blocking application with a web-based admin interface. Versions 6.4 and earlier contain a stored HTML injection vulnerability (CVE-2026-26952) in the local DNS records configuration page. Specifically, the populateDataTable() JavaScript function uses a data variable containing the full DNS record value as entered by the user and returned by the API. This value is inserted directly into a data-tag HTML attribute without any escaping or sanitization of special characters such as double quotes. An authenticated administrator can supply a DNS record containing double quotes to prematurely close the data-tag attribute and inject arbitrary HTML attributes into the element. While Pi-hole enforces a Content Security Policy that blocks inline JavaScript, preventing direct script execution, the injected HTML could still alter the page structure or behavior in unexpected ways, potentially leading to UI manipulation or indirect attacks. The vulnerability requires administrator privileges to exploit and does not require user interaction. No known exploits are currently in the wild. The issue was addressed and fixed in Pi-hole version 6.4.1 by properly sanitizing input before rendering. The CVSS v3.1 base score is 5.4, reflecting medium severity with network attack vector, low attack complexity, and limited impact on confidentiality and integrity but no impact on availability.

The vulnerability allows an authenticated administrator to inject arbitrary HTML attributes into the Pi-hole web interface, which could lead to UI manipulation or indirect attacks such as phishing or misleading information display. Although direct JavaScript execution is blocked by the Content Security Policy, the injected HTML could still be used to alter the interface in ways that confuse or mislead users or administrators. This could undermine trust in the management interface and potentially facilitate further attacks if combined with other vulnerabilities or social engineering. Since exploitation requires administrator privileges, the threat is limited to insiders or attackers who have already compromised admin credentials. The impact on confidentiality and integrity is low to moderate, and availability is unaffected. Organizations relying on Pi-hole for network-level ad blocking and DNS management could face reduced security assurance and potential administrative confusion until patched.

1. Upgrade all Pi-hole installations to version 6.4.1 or later, where the vulnerability is fixed with proper input sanitization. 2. Restrict administrator access to trusted personnel only and enforce strong authentication mechanisms to reduce risk of credential compromise. 3. Regularly audit DNS records configured via the Pi-hole interface to detect any suspicious or malformed entries that could exploit this vulnerability. 4. Monitor Pi-hole web interface logs for unusual activity or configuration changes. 5. Consider implementing network segmentation to limit access to the Pi-hole admin interface. 6. Educate administrators about the risks of injecting untrusted input and the importance of applying security updates promptly. 7. If upgrading immediately is not possible, manually sanitize DNS record inputs before entry to avoid special characters like double quotes that enable injection.