Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in dnsdist - CVE-2026-0396
Published: April 23, 2026
Vulnerability identifier: #VU126954
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-0396
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: PowerDNS.COM B.V.
Affected software:
dnsdist
dnsdist
Detailed vulnerability description
The vulnerability allows a remote attacker to inject HTML content into the internal web dashboard.
The vulnerability exists due to improper neutralization of input during web page generation in the internal web dashboard when processing crafted DNS queries triggering domain-based dynamic rules. A remote attacker can send crafted DNS queries to inject HTML content into the internal web dashboard.
User interaction is required for the injected content to be viewed, and the issue occurs when domain-based dynamic rules have been enabled via DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.
How to mitigate CVE-2026-0396
Install security update from vendor's website.