Pi-hole is a popular network-level ad and tracker blocking application with a web-based admin interface. Versions 6.0 through prior to 6.4.1 contain a stored HTML injection vulnerability (CVE-2026-26953) in the active sessions table on the API settings page. The vulnerability stems from improper input validation (CWE-20) and improper neutralization of input during web page generation (CWE-116), specifically in the handling of the X-Forwarded-For HTTP header. The value of this header is assigned to data.x_forwarded_for and directly concatenated into an HTML string that is inserted into the DOM using jQuery’s .html() method. This method interprets the content as HTML, allowing any embedded HTML tags to be rendered by the browser. An attacker with valid credentials can craft an authentication request with a malicious X-Forwarded-For header containing arbitrary HTML code, which will be stored and displayed to any administrator viewing the active sessions page. Although the injected code cannot execute JavaScript due to Pi-hole’s Content Security Policy that blocks inline scripts, the attacker can still manipulate the HTML structure, potentially causing UI disruptions or misleading content display. Exploitation requires valid user credentials but no additional user interaction beyond viewing the page. The vulnerability affects all Pi-hole web versions before 6.4.1 and was publicly disclosed in February 2026. No known exploits in the wild have been reported. The CVSS v3.1 base score is 5.4, reflecting medium severity with network attack vector, low attack complexity, and privileges required. The flaw impacts integrity and availability but not confidentiality.

This vulnerability allows authenticated attackers to inject arbitrary HTML into the Pi-hole admin interface, potentially misleading administrators or disrupting the user interface. While the Content Security Policy prevents JavaScript execution, the injected HTML could be used to spoof UI elements, display misleading information, or cause rendering issues that impair administrative functions. This can reduce the integrity of the admin interface and availability if the UI becomes unusable or confusing. Organizations relying on Pi-hole for network-wide ad and tracker blocking may face operational disruptions or increased risk of misconfiguration due to compromised admin interface integrity. Since exploitation requires valid credentials, insider threats or compromised accounts pose the greatest risk. The vulnerability does not directly expose sensitive data or allow remote code execution, limiting its impact compared to more severe injection flaws. However, the widespread use of Pi-hole in home, SMB, and enterprise environments means many organizations could be affected if they do not update promptly.

1. Upgrade all Pi-hole installations to version 6.4.1 or later, where this vulnerability is fixed. 2. Enforce strong authentication and access controls to limit the number of users with admin credentials, reducing the risk of insider exploitation. 3. Monitor and audit admin interface access logs for suspicious activity, especially unusual X-Forwarded-For header values or repeated access to the active sessions page. 4. Consider implementing additional input validation or sanitization on proxy or web server layers to filter out malicious header values before they reach Pi-hole. 5. Educate administrators about the risk of this vulnerability and encourage cautious review of active sessions data. 6. If upgrading immediately is not possible, restrict network access to the Pi-hole admin interface to trusted IPs and VPNs to reduce exposure. 7. Regularly review and apply security patches for Pi-hole and related infrastructure components.