CVE-2026-26953 is a stored HTML injection vulnerability identified in the Pi-hole Admin Interface, specifically affecting versions earlier than 6.4.1. Pi-hole is a widely used network-level ad and tracker blocking application, and its web interface allows administrators to manage settings and monitor active sessions. The vulnerability exists in the active sessions table on the API settings page, where the application displays the value of the HTTP header X-Forwarded-For in the sessions list. The problem stems from the rowCallback function, which takes the data.x_forwarded_for value and directly concatenates it into an HTML string that is inserted into the DOM using jQuery’s .html() method. This method parses the content as HTML, meaning any HTML tags in the header value are rendered by the browser. An attacker with valid credentials can craft an HTTP request containing malicious HTML code in the X-Forwarded-For header using tools like curl, wget, Burp Suite, or JavaScript fetch(). When an administrator views the active sessions page, the injected HTML is rendered, leading to a stored HTML injection scenario. However, Pi-hole enforces a Content Security Policy (CSP) that blocks inline JavaScript execution, limiting the impact to HTML injection without script execution. Despite this limitation, the vulnerability can still be exploited to manipulate the UI, inject misleading content, or potentially disrupt the availability of the admin interface. The vulnerability is classified under CWE-20 (Improper Input Validation), CWE-116 (Improper Encoding or Escaping of Output), and CWE-79 (Cross-site Scripting), highlighting the root cause as insufficient input validation and output encoding. The CVSS v3.1 base score is 5.4 (medium severity), reflecting the need for authentication, lack of script execution, and limited scope of impact. No known exploits in the wild have been reported. The issue was publicly disclosed on February 19, 2026, and fixed in Pi-hole version 6.4.1.

The primary impact of this vulnerability is on the integrity and availability of the Pi-hole Admin Interface. An attacker with valid credentials can inject arbitrary HTML content into the active sessions table, which will be rendered in the browsers of administrators viewing that page. Although the Content Security Policy prevents execution of injected JavaScript, the attacker can still manipulate the UI, potentially misleading administrators or causing confusion. This could lead to administrative errors or loss of trust in the interface. Additionally, crafted HTML could disrupt the display or functionality of the page, causing denial of service conditions for administrators. Since the vulnerability requires valid credentials, the risk is limited to insider threats or compromised accounts. However, given Pi-hole’s role in network-level ad and tracker blocking, disruption of its management interface could indirectly affect network security and monitoring. Organizations relying on Pi-hole for network filtering and security may experience reduced operational effectiveness or increased risk of misconfiguration if this vulnerability is exploited.

To mitigate this vulnerability, organizations should upgrade Pi-hole to version 6.4.1 or later, where the issue has been fixed by properly sanitizing and encoding the X-Forwarded-For header before inserting it into the DOM. Until the upgrade can be performed, administrators should restrict access to the Pi-hole Admin Interface to trusted users only and enforce strong authentication mechanisms to reduce the risk of credential compromise. Network segmentation and firewall rules should limit access to the management interface from untrusted networks. Additionally, monitoring and alerting on unusual HTTP headers or suspicious activity in the admin interface logs can help detect exploitation attempts. Administrators should avoid clicking on or viewing the active sessions page if suspicious activity is suspected. Implementing web application firewalls (WAFs) that can detect and block injection attempts targeting the X-Forwarded-For header may provide an additional layer of defense. Finally, educating administrators about the risks of HTML injection and encouraging prompt patching practices will reduce exposure.