wid-sec-w-2026-0932 · Published 2026-03-30 · View on BSI CERT-Bund ↗

PowerDNS: Multiple Vulnerabilities

CVSS 6.5 MEDIUM

Risk Summary

When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.

CVEs (7)

CVE-2026-0396 CVE-2026-0397 CVE-2026-24028 CVE-2026-24029 CVE-2026-24030 CVE-2026-27853 CVE-2026-27854

Affected Vendors

Open Source SUSE

Affected Products (4)

Open Source · PowerDNS <1.9.12

Open Source · PowerDNS 1.9.12

Open Source · PowerDNS <2.0.3

Open Source · PowerDNS 2.0.3

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more