Primary

Context

PowerDNS DNSdist HTML Injection Vulnerability in Internal Web Dashboard

Vulnerability

Patched

A vulnerability allowing HTML injection into the internal web dashboard of PowerDNS DNSdist has been identified. This issue arises when an attacker sends crafted DNS queries to a DNSdist instance with domain-based dynamic rules enabled, either through the DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI methods. The vulnerability affects PowerDNS DNSdist versions 1.9.0 prior to 1.9.11 and 2.0.0 prior to 2.0.2.

Impact

Exploitation of this vulnerability allows for HTML injection, which could be used to manipulate the web dashboard's content or behavior.

Remediation

Users are advised to upgrade to PowerDNS DNSdist versions 1.9.12 or 2.0.3, where this vulnerability has been patched.

Added: Mar 31, 2026, 12:32 PM

Updated: Mar 31, 2026, 12:32 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.8

exploitability

6.5

remediation

8.3

relevance

5.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.8

exploitability

6.5

remediation

8.3

relevance

5.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PowerDNS DNSdist HTML Injection Vulnerability in Internal Web Dashboard

Vulnerability

Impact

Remediation

Affected Products

PowerDNS DNSdist

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating