Powerdns: Security Vulnerabilities
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
CVSS Score
5.3
EPSS Score
0.006
Published
2026-04-22
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
CVSS Score
5.3
EPSS Score
0.005
Published
2026-04-22
By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches.
CVSS Score
5.3
EPSS Score
0.006
Published
2026-04-22
Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.
CVSS Score
5.0
EPSS Score
0.002
Published
2026-04-22
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
CVSS Score
5.3
EPSS Score
0.005
Published
2026-04-22
A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.
CVSS Score
5.9
EPSS Score
0.002
Published
2026-04-22
An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default.
CVSS Score
5.9
EPSS Score
0.004
Published
2026-04-22
An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service.
CVSS Score
4.8
EPSS Score
0.005
Published
2026-03-31
An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.
CVSS Score
3.1
EPSS Score
0.001
Published
2026-03-31
When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.
CVSS Score
3.1
EPSS Score
0.002
Published
2026-03-31