Pi-hole is a popular network-level ad and tracker blocking application with a web-based admin interface for management. Versions 6.4 and earlier contain a stored HTML injection vulnerability (CVE-2026-26952) in the local DNS records configuration page. Specifically, the populateDataTable() JavaScript function uses a data variable containing the full DNS record value exactly as entered by the user and returned by the API. This value is inserted directly into the data-tag HTML attribute without any escaping or sanitization of special characters such as double quotes ("). An authenticated administrator can exploit this by entering a DNS record containing double quotes to prematurely close the data-tag attribute and inject additional HTML attributes or elements. Because the injected code is stored in the Pi-hole configuration, it is rendered every time the DNS records table is viewed, making this a persistent stored injection. Although Pi-hole enforces a Content Security Policy that blocks inline JavaScript, preventing script execution, the injected HTML can still manipulate the page's DOM, potentially leading to UI manipulation, phishing, or other attacks affecting confidentiality and integrity. The vulnerability requires authenticated administrator privileges, limiting the attack surface. No known exploits are currently reported in the wild. The issue was resolved in Pi-hole version 6.4.1 by properly escaping or sanitizing user input before insertion into HTML attributes.

The vulnerability allows an authenticated administrator to inject arbitrary HTML code into the Pi-hole admin interface, which is then persistently displayed to any user viewing the DNS records table. While the CSP prevents inline JavaScript execution, the injected HTML could still be used to manipulate the user interface, potentially misleading administrators or causing confusion. This could lead to confidentiality risks if sensitive information is exposed or integrity risks if the interface is altered to misrepresent data. Since the vulnerability requires administrator authentication, the risk of external exploitation is reduced, but insider threats or compromised admin accounts could leverage this flaw. The impact on availability is minimal as the injection does not directly disrupt service. Organizations relying on Pi-hole for network-level ad blocking and DNS management could face trust and operational risks if attackers manipulate the admin interface. The medium CVSS score (5.4) reflects moderate impact and exploitability.

Organizations should upgrade Pi-hole installations to version 6.4.1 or later, where this vulnerability is fixed by proper input sanitization and escaping. Until upgrading, administrators should restrict access to the Pi-hole admin interface to trusted personnel only and enforce strong authentication mechanisms to prevent unauthorized admin access. Regularly audit DNS record entries for suspicious or malformed inputs that could indicate attempted injection. Implement network segmentation and monitoring to detect unusual admin interface activity. Consider additional Content Security Policy enhancements or web application firewalls to detect and block injection attempts. Educate administrators about the risks of injecting untrusted data and the importance of applying security updates promptly. Backup Pi-hole configurations regularly to enable recovery from potential tampering.