CVE-2026-0396Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Dnsdist

CWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)8 documents7 sources
Severity
4.3MEDIUMNVD
CNA3.1
EPSS
0.0%
top 99.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Powerdns Dnsdist
Timeline
PublishedMar 31

Description

An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

CVEListV5powerdns/dnsdist1.9.01.9.12+1
NVDpowerdns/dnsdist1.9.01.9.12+1
Debianpowerdns/dnsdist< 2.0.3-1

🔴Vulnerability Details

3
CVEList
HTML injection in the web dashboard2026-03-31
OSV
CVE-2026-0396: An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-bas2026-03-31
GHSA
GHSA-c6vq-q4cf-9cgj: An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-bas2026-03-31

📋Vendor Advisories

1
Debian
CVE-2026-0396: dnsdist - An attacker might be able to inject HTML content into the internal web dashboard...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-0396 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

2
Bugzilla
CVE-2026-0396 dnsdist: dnsdist: HTML injection via crafted DNS queries [fedora-all]2026-03-31
Bugzilla
CVE-2026-0396 dnsdist: dnsdist: HTML injection via crafted DNS queries [epel-all]2026-03-31
CVE-2026-0396 — Powerdns Dnsdist vulnerability | cvebase