CVE-2026-0396

LOW

HTML injection in the web dashboard

Title source: cna

Description

An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.

References (1)

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

Scores

CVSS v3 3.1

EPSS 0.0000

EPSS Percentile 0.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-80

Status published

Products (3)

PowerDNS/DNSdist 1.9.0 - 1.9.12

powerdns/dnsdist 1.9.0 - 1.9.12

PowerDNS/DNSdist 2.0.0 - 2.0.3

Published Mar 31, 2026

Tracked Since Mar 31, 2026