cbcvebase.

Powerdns Recursor vulnerabilities

60 known vulnerabilities affecting powerdns/recursor.

Total CVEs
60
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH28MEDIUM29LOW1

Vulnerabilities

Page 3 of 3
CVE-2017-15093P4MEDIUMCVSS 5.3≥ 3.0, ≤ 3.7.4≥ 4.0.0, ≤ 4.0.62018-01-23
CVE-2017-15093 [MEDIUM] CWE-20 CVE-2017-15093: When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerD When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerDNS Recursor 4.x up to and including 4.0.6 and 3.x up to and including 3.7.4 allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses
nvd
CVE-2026-24027P4MEDIUMCVSS 5.3≥ 5.1.0, < 5.1.10≥ 5.2.0, < 5.2.8+1 more2026-02-09
CVE-2026-24027 [MEDIUM] CWE-294 CVE-2026-24027: Crafted zones can lead to increased incoming network traffic. Crafted zones can lead to increased incoming network traffic.
nvd
CVE-2026-40012P4MEDIUMCVSS 5.3≥ 5.2.0, < 5.2.11≥ 5.3.0, < 5.3.8+1 more2026-06-25
CVE-2026-40012 [MEDIUM] CWE-524 CVE-2026-40012: ECS zero scoped answers are stored in the packet cache while they should not. This impacts only conf ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;
nvd
CVE-2026-42390P4MEDIUMCVSS 5.3≥ 5.4.0, < 5.4.32026-06-25
CVE-2026-42390 [MEDIUM] CWE-20 CVE-2026-42390: An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCac An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.
nvd
CVE-2016-7074P4MEDIUMCVSS 5.9fixed in 4.0.42018-09-11
CVE-2016-7074 [MEDIUM] CWE-20 CVE-2016-7074: An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 4.0.4, all An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 4.0.4, allowing an attacker in position of man-in-the-middle to alter the content of an AXFR because of insufficient validation of TSIG signatures. A missing check that the TSIG record is the last one, leading to the possibility of parsing records that are not cov
nvd
CVE-2026-42388P4MEDIUMCVSS 5.9≥ 5.2.0, < 5.2.11≥ 5.3.0, < 5.3.8+1 more2026-06-25
CVE-2026-42388 [MEDIUM] CWE-20 CVE-2026-42388: Incomplete validation of the SOA record present in a catalog zone might lead to a crash. Incomplete validation of the SOA record present in a catalog zone might lead to a crash.
nvd
CVE-2008-1637P4MEDIUMCVSS 6.8≤ 3.1.42008-04-02
CVE-2008-1637 [MEDIUM] CWE-189 CVE-2008-1637: PowerDNS Recursor before 3.1.5 uses insufficient randomness to calculate (1) TRXID values and (2) UD PowerDNS Recursor before 3.1.5 uses insufficient randomness to calculate (1) TRXID values and (2) UDP source port numbers, which makes it easier for remote attackers to poison a DNS cache, related to (a) algorithmic deficiencies in rand and random functions in external libraries, (b) use of a 32-bit seed value, and (c) choice of the time of day as the
nvd
CVE-2025-59029P4MEDIUMCVSS 5.3v5.3.0v5.3.1+1 more2025-12-09
CVE-2025-59029 [MEDIUM] CWE-617 CVE-2025-59029: An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.
nvd
CVE-2017-15092P4MEDIUMCVSS 6.1≥ 4.0.0, ≤ 4.0.62018-01-23
CVE-2017-15092 [MEDIUM] CWE-79 CVE-2017-15092: A cross-site scripting issue has been found in the web interface of PowerDNS Recursor from 4.0.0 up A cross-site scripting issue has been found in the web interface of PowerDNS Recursor from 4.0.0 up to and including 4.0.6, where the qname of DNS queries was displayed without any escaping, allowing a remote attacker to inject HTML and Javascript code into the web interface, altering the content.
nvd
CVE-2026-0398P4MEDIUMCVSS 5.3≥ 5.1.0, < 5.1.10≥ 5.2.8, < 5.2.8+2 more2026-02-09
CVE-2026-0398 [MEDIUM] CWE-770 CVE-2026-0398: Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poison Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor.
nvd
CVE-2026-42389P4MEDIUMCVSS 5.3≥ 5.4.0, < 5.4.32026-06-25
CVE-2026-42389 [MEDIUM] CWE-20 CVE-2026-42389: This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.
nvd
CVE-2026-33262P4MEDIUMCVSS 5.9≥ 5.2.0, < 5.2.9≥ 5.3.0, < 5.3.6+2 more2026-04-22
CVE-2026-33262 [MEDIUM] CWE-476 CVE-2026-33262: An attacker can send replies that result in a null pointer dereference, caused by a missing consiste An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default.
nvd
CVE-2026-33261P4MEDIUMCVSS 5.9≥ 5.2.0, < 5.2.9≥ 5.3.0, < 5.3.6+2 more2026-04-22
CVE-2026-33261 [MEDIUM] CWE-353 CVE-2026-33261: A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of s A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.
nvd
CVE-2008-3217P4MEDIUMCVSS 6.8≤ 3.1.5v3.0+5 more2008-07-18
CVE-2008-3217 [MEDIUM] CVE-2008-3217: PowerDNS Recursor before 3.1.6 does not always use the strongest random number generator for source PowerDNS Recursor before 3.1.6 does not always use the strongest random number generator for source port selection, which makes it easier for remote attack vectors to conduct DNS cache poisoning. NOTE: this is related to incomplete integration of security improvements associated with addressing CVE-2008-1637.
nvd
CVE-2026-33601P4MEDIUMCVSS 4.9≥ 5.2.0, < 5.2.9≥ 5.3.0, < 5.3.6+2 more2026-04-22
CVE-2026-33601 [MEDIUM] CWE-476 CVE-2026-33601: If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zo If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.
nvd
CVE-2026-33259P4MEDIUMCVSS 5.0≥ 5.2.0, < 5.2.9≥ 5.3.0, < 5.3.6+2 more2026-04-22
CVE-2026-33259 [MEDIUM] CWE-416 CVE-2026-33259: Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free a Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.
nvd
CVE-2026-33600P4MEDIUMCVSS 4.9≥ 5.2.0, < 5.2.9≥ 5.3.0, < 5.3.6+2 more2026-04-22
CVE-2026-33600 [MEDIUM] CWE-476 CVE-2026-33600: An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.
nvd
CVE-2023-26437P4MEDIUMCVSS 5.3fixed in 4.6.6≥ 4.7.0, < 4.7.5+2 more2023-04-04
CVE-2023-26437 [MEDIUM] CWE-400 CVE-2023-26437: Denial of service vulnerability in PowerDNS Recursor allows authoritative servers to be marked unava Denial of service vulnerability in PowerDNS Recursor allows authoritative servers to be marked unavailable.This issue affects Recursor: through 4.6.5, through 4.7.4 , through 4.8.3.
nvd
CVE-2006-4252P4MEDIUMCVSS 5.0≤ 3.1.3v2.0_rc1+10 more2006-11-14
CVE-2006-4252 [MEDIUM] CVE-2006-4252: PowerDNS Recursor 3.1.3 and earlier allows remote attackers to cause a denial of service (resource e PowerDNS Recursor 3.1.3 and earlier allows remote attackers to cause a denial of service (resource exhaustion and application crash) via a CNAME record with a zero TTL, which triggers an infinite loop.
nvd
CVE-2018-1000003P4LOWCVSS 3.7v4.1.02018-01-22
CVE-2018-1000003 [LOW] CWE-20 CVE-2018-1000003: Improper input validation bugs in DNSSEC validators components in PowerDNS version 4.1.0 allow attac Improper input validation bugs in DNSSEC validators components in PowerDNS version 4.1.0 allow attacker in man-in-the-middle position to deny existence of some data in DNS via packet replay.
nvd
Powerdns Recursor vulnerabilities | cvebase