Search

Find a vulnerability

Search criteria

    269 vulnerabilities by PowerDNS

    CVE-2026-52690 (GCVE-0-2026-52690)

    Vulnerability from nvd – Published: 2026-06-25 13:01 – Updated: 2026-06-25 14:21
    VLAI
    Title
    Spoofed answers can mark an authoritative non-EDNS capable
    Summary
    Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Authentication Bypass by Spoofing
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Recursor Affected: 5.2.0 , < 5.2.11 (semver)
    Affected: 5.3.0 , < 5.3.8 (semver)
    Affected: 5.4.0 , < 5.4.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Mehtab Zafar
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-52690",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T14:21:31.973756Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-290",
                    "description": "CWE-290 Authentication Bypass by Spoofing",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T14:21:36.692Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "Outgoing EDNS handling"
              ],
              "packageName": "pdns-recursor",
              "product": "Recursor",
              "programFiles": [
                "syncres.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "5.2.11",
                  "status": "affected",
                  "version": "5.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.3.8",
                  "status": "affected",
                  "version": "5.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.4.3",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mehtab Zafar"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eSpoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.\u003c/p\u003e"
                }
              ],
              "value": "Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T13:01:40.347Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Spoofed answers can mark an authoritative non-EDNS capable",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-52690",
        "datePublished": "2026-06-25T13:01:40.347Z",
        "dateReserved": "2026-06-08T08:05:31.708Z",
        "dateUpdated": "2026-06-25T14:21:36.692Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42390 (GCVE-0-2026-42390)

    Vulnerability from nvd – Published: 2026-06-25 13:01 – Updated: 2026-06-25 14:25
    VLAI
    Title
    ZONEMD validation can be bypassed
    Summary
    An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Input Validation
    • CWE-20 - Improper Input Validation
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Recursor Affected: 5.4.0 , < 5.4.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Vitaly Simonovich
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42390",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T14:25:32.947074Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-20",
                    "description": "CWE-20 Improper Input Validation",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T14:25:44.416Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "ZoneMD"
              ],
              "packageName": "pdns-recursor",
              "product": "Recursor",
              "programFiles": [
                "zonemd.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "5.4.3",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vitaly Simonovich"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.\u003c/p\u003e"
                }
              ],
              "value": "An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T13:01:08.394Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "ZONEMD validation can be bypassed",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-42390",
        "datePublished": "2026-06-25T13:01:08.394Z",
        "dateReserved": "2026-04-27T08:53:58.839Z",
        "dateUpdated": "2026-06-25T14:25:44.416Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42389 (GCVE-0-2026-42389)

    Vulnerability from nvd – Published: 2026-06-25 13:16 – Updated: 2026-06-25 14:58
    VLAI
    Title
    Reject more queries with invalid header values
    Summary
    This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Input Validation
    • CWE-20 - Improper Input Validation
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Recursor Affected: 5.4.0 , < 5.4.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Xiang Li, Mingming Zhang, Fasheng Miao, Zuyao Xu from AOSP Lab, Nankai University, Zhongguancun Lab, Tsinghua University
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42389",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T14:58:11.587235Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-20",
                    "description": "CWE-20 Improper Input Validation",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T14:58:17.088Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "Web Server"
              ],
              "packageName": "pdns-recursor",
              "product": "Recursor",
              "programFiles": [
                "pdns_recursor.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "5.4.3",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Xiang Li, Mingming Zhang, Fasheng Miao, Zuyao Xu from AOSP Lab, Nankai University, Zhongguancun Lab, Tsinghua University"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThis fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.\u003c/p\u003e"
                }
              ],
              "value": "This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T13:16:45.245Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Reject more queries with invalid header values",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-42389",
        "datePublished": "2026-06-25T13:16:45.245Z",
        "dateReserved": "2026-04-27T08:53:58.839Z",
        "dateUpdated": "2026-06-25T14:58:17.088Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42388 (GCVE-0-2026-42388)

    Vulnerability from nvd – Published: 2026-06-25 12:59 – Updated: 2026-06-25 14:42
    VLAI
    Title
    Missing input validation for catalog zones
    Summary
    Incomplete validation of the SOA record present in a catalog zone might lead to a crash.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Input Validation
    • CWE-20 - Improper Input Validation
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Recursor Affected: 5.2.0 , < 5.2.11 (semver)
    Affected: 5.3.0 , < 5.3.8 (semver)
    Affected: 5.4.0 , < 5.4.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    ylwango613
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42388",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T14:42:11.248693Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-20",
                    "description": "CWE-20 Improper Input Validation",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T14:42:18.369Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "Catalog Zones"
              ],
              "packageName": "pdns-recursor",
              "product": "Recursor",
              "programFiles": [
                "rec-xfr.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "5.2.11",
                  "status": "affected",
                  "version": "5.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.3.8",
                  "status": "affected",
                  "version": "5.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.4.3",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ylwango613"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIncomplete validation of the SOA record present in a catalog zone might lead to a crash.\u003c/p\u003e"
                }
              ],
              "value": "Incomplete validation of the SOA record present in a catalog zone might lead to a crash."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:59:38.192Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing input validation for catalog zones",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-42388",
        "datePublished": "2026-06-25T12:59:38.192Z",
        "dateReserved": "2026-04-27T08:53:58.839Z",
        "dateUpdated": "2026-06-25T14:42:18.369Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42387 (GCVE-0-2026-42387)

    Vulnerability from nvd – Published: 2026-06-25 12:59 – Updated: 2026-06-25 14:41
    VLAI
    Title
    Insufficient input validation in ZoneToCache
    Summary
    A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Input Validation
    • CWE-20 - Improper Input Validation
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Recursor Affected: 5.2.0 , < 5.2.11 (semver)
    Affected: 5.3.0 , < 5.3.8 (semver)
    Affected: 5.4.0 , < 5.4.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    nurmukhammyed
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42387",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T14:41:19.840992Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-20",
                    "description": "CWE-20 Improper Input Validation",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T14:41:46.920Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "Zone to cache"
              ],
              "packageName": "pdns-recursor",
              "product": "Recursor",
              "programFiles": [
                "zonemd.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "5.2.11",
                  "status": "affected",
                  "version": "5.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.3.8",
                  "status": "affected",
                  "version": "5.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.4.3",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "nurmukhammyed"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation.\u003c/p\u003e"
                }
              ],
              "value": "A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:59:16.813Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Insufficient input validation in ZoneToCache",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-42387",
        "datePublished": "2026-06-25T12:59:16.813Z",
        "dateReserved": "2026-04-27T08:53:58.838Z",
        "dateUpdated": "2026-06-25T14:41:46.920Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40012 (GCVE-0-2026-40012)

    Vulnerability from nvd – Published: 2026-06-25 12:58 – Updated: 2026-06-25 14:41
    VLAI
    Title
    Information about ECS zero scoped answers might leak to clients that use a specific ECS
    Summary
    ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Exposure of Resource to Wrong Sphere
    • CWE-524 - Use of Cache Containing Sensitive Information
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Recursor Affected: 5.2.0 , < 5.2.11 (semver)
    Affected: 5.3.0 , < 5.3.8 (semver)
    Affected: 5.4.0 , < 5.4.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Danial Mahadzir
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40012",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T14:40:29.990781Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-524",
                    "description": "CWE-524 Use of Cache Containing Sensitive Information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T14:41:00.796Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "EDNS Client Subnet processing"
              ],
              "packageName": "pdns-recursor",
              "product": "Recursor",
              "programFiles": [
                "pdns_recursor.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "5.2.11",
                  "status": "affected",
                  "version": "5.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.3.8",
                  "status": "affected",
                  "version": "5.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.4.3",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Danial Mahadzir"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;\u003c/p\u003e"
                }
              ],
              "value": "ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Exposure of Resource to Wrong Sphere",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:58:51.987Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Information about ECS zero scoped answers might leak to clients that use a specific ECS",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-40012",
        "datePublished": "2026-06-25T12:58:51.987Z",
        "dateReserved": "2026-04-08T09:59:59.342Z",
        "dateUpdated": "2026-06-25T14:41:00.796Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42004 (GCVE-0-2026-42004)

    Vulnerability from nvd – Published: 2026-06-25 12:24 – Updated: 2026-06-25 13:44
    VLAI
    Title
    EDNS options smuggling
    Summary
    An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Misinterpretation of Input
    • CWE-115 - Misinterpretation of Input
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS DNSdist Affected: 1.9.0 , < 1.9.15 (semver)
    Affected: 2.0.0 , < 2.0.7 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Vitaly Simonovich
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42004",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T13:44:02.980438Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-115",
                    "description": "CWE-115 Misinterpretation of Input",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T13:44:07.962Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "EDNS processing"
              ],
              "packageName": "dnsdist",
              "product": "DNSdist",
              "programFiles": [
                "dnsdist-ecs.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "1.9.15",
                  "status": "affected",
                  "version": "1.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vitaly Simonovich"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn attacker can send a crafted EDNS OPT record that will be ignored by DNSdist\u2019s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.\u003c/p\u003e"
                }
              ],
              "value": "An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist\u2019s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Misinterpretation of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:24:20.140Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "EDNS options smuggling",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-42004",
        "datePublished": "2026-06-25T12:24:20.140Z",
        "dateReserved": "2026-04-23T11:15:21.198Z",
        "dateUpdated": "2026-06-25T13:44:07.962Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40211 (GCVE-0-2026-40211)

    Vulnerability from nvd – Published: 2026-06-25 12:23 – Updated: 2026-06-25 13:45
    VLAI
    Title
    Denial of service via crafted DoH3 queries
    Summary
    An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Allocation of Resources Without Limits or Throttling
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS DNSdist Affected: 1.9.0 , < 1.9.15 (semver)
    Affected: 2.0.0 , < 2.0.7 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Mehtab Zafar
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40211",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T13:44:56.582604Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T13:45:02.430Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "DNS over HTTP3"
              ],
              "packageName": "dnsdist",
              "product": "DNSdist",
              "programFiles": [
                "dnsdist-crypto.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "1.9.15",
                  "status": "affected",
                  "version": "1.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mehtab Zafar"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.\u003c/p\u003e"
                }
              ],
              "value": "An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:23:55.585Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Denial of service via crafted DoH3 queries",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-40211",
        "datePublished": "2026-06-25T12:23:55.585Z",
        "dateReserved": "2026-04-10T07:11:39.060Z",
        "dateUpdated": "2026-06-25T13:45:02.430Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40210 (GCVE-0-2026-40210)

    Vulnerability from nvd – Published: 2026-06-25 12:23 – Updated: 2026-06-25 13:49
    VLAI
    Title
    Out-of-bounds read in SetMacAddrAction
    Summary
    An out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Buffer Over-read
    • CWE-126 - Buffer Over-read
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS DNSdist Affected: 1.9.0 , < 1.9.15 (semver)
    Affected: 2.0.0 , < 2.0.7 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Qifan Zhang (Palo Alto Networks)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40210",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T13:49:25.851878Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-126",
                    "description": "CWE-126 Buffer Over-read",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T13:49:35.668Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "SetMacAddrAction"
              ],
              "packageName": "dnsdist",
              "product": "DNSdist",
              "programFiles": [
                "dnsdist-actions-factory.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "1.9.15",
                  "status": "affected",
                  "version": "1.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Qifan Zhang (Palo Alto Networks)"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash.\u003c/p\u003e"
                }
              ],
              "value": "An out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Buffer Over-read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:23:31.623Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Out-of-bounds read in SetMacAddrAction",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-40210",
        "datePublished": "2026-06-25T12:23:31.623Z",
        "dateReserved": "2026-04-10T07:11:39.060Z",
        "dateUpdated": "2026-06-25T13:49:35.668Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40209 (GCVE-0-2026-40209)

    Vulnerability from nvd – Published: 2026-06-25 12:23 – Updated: 2026-06-25 13:56
    VLAI
    Title
    Denial of service via IXFR queries
    Summary
    An attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately, by sending IXFR queries. This could be used to cause a denial of service if there is a limit to the number of concurrent connections to this backend, or if the process runs out of file descriptors.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Missing Release of Resource after Effective Lifetime
    • CWE-772 - Missing Release of Resource after Effective Lifetime
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS DNSdist Affected: 1.9.0 , < 1.9.15 (semver)
    Affected: 2.0.0 , < 2.0.7 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Qifan Zhang (Palo Alto Networks)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40209",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T13:56:17.791790Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-772",
                    "description": "CWE-772 Missing Release of Resource after Effective Lifetime",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T13:56:22.793Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "DNS over TCP to the backend"
              ],
              "packageName": "dnsdist",
              "product": "DNSdist",
              "programFiles": [
                "dnsdist-tcp-downstream.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "1.9.15",
                  "status": "affected",
                  "version": "1.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Qifan Zhang (Palo Alto Networks)"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately, by sending IXFR queries. This could be used to cause a denial of service if there is a limit to the number of concurrent connections to this backend, or if the process runs out of file descriptors.\u003c/p\u003e"
                }
              ],
              "value": "An attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately, by sending IXFR queries. This could be used to cause a denial of service if there is a limit to the number of concurrent connections to this backend, or if the process runs out of file descriptors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Missing Release of Resource after Effective Lifetime",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:23:05.694Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Denial of service via IXFR queries",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-40209",
        "datePublished": "2026-06-25T12:23:05.694Z",
        "dateReserved": "2026-04-10T07:11:39.060Z",
        "dateUpdated": "2026-06-25T13:56:22.793Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40208 (GCVE-0-2026-40208)

    Vulnerability from nvd – Published: 2026-06-25 12:22 – Updated: 2026-06-25 13:24
    VLAI
    Title
    Denial of service via DoH3 queries
    Summary
    An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Incorrect Control Flow Scoping
    • CWE-705 - Incorrect Control Flow Scoping
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS DNSdist Affected: 1.9.0 , < 1.9.15 (semver)
    Affected: 2.0.0 , < 2.0.7 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    ylwango613
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40208",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T13:24:51.405029Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-705",
                    "description": "CWE-705 Incorrect Control Flow Scoping",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T13:24:55.798Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "DNS over HTTP3"
              ],
              "packageName": "dnsdist",
              "product": "DNSdist",
              "programFiles": [
                "doh3.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "1.9.15",
                  "status": "affected",
                  "version": "1.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ylwango613"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.\u003c/p\u003e"
                }
              ],
              "value": "An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Incorrect Control Flow Scoping",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:22:42.722Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Denial of service via DoH3 queries",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-40208",
        "datePublished": "2026-06-25T12:22:42.722Z",
        "dateReserved": "2026-04-10T07:11:39.060Z",
        "dateUpdated": "2026-06-25T13:24:55.798Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40011 (GCVE-0-2026-40011)

    Vulnerability from nvd – Published: 2026-06-25 12:22 – Updated: 2026-06-25 13:23
    VLAI
    Title
    Prometheus denial of service via crafted DNS queries
    Summary
    An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Encoding or Escaping of Output
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS DNSdist Affected: 1.9.0 , < 1.9.15 (semver)
    Affected: 2.0.0 , < 2.0.7 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Haruki Oyama (Waseda University)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40011",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T13:23:09.989984Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-116",
                    "description": "CWE-116 Improper Encoding or Escaping of Output",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T13:23:46.840Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "Prometheus export"
              ],
              "packageName": "dnsdist",
              "product": "DNSdist",
              "programFiles": [
                "dnsdist-web.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "1.9.15",
                  "status": "affected",
                  "version": "1.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Haruki Oyama (Waseda University)"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires.\u003c/p\u003e"
                }
              ],
              "value": "An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:22:19.248Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Prometheus denial of service via crafted DNS queries",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-40011",
        "datePublished": "2026-06-25T12:22:19.248Z",
        "dateReserved": "2026-04-08T09:59:59.341Z",
        "dateUpdated": "2026-06-25T13:23:46.840Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33612 (GCVE-0-2026-33612)

    Vulnerability from nvd – Published: 2026-06-25 12:58 – Updated: 2026-06-25 13:35
    VLAI
    Title
    ZoneToCache can poison the cache
    Summary
    A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Acceptance of Extraneous Untrusted Data With Trusted Data
    • CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Recursor Affected: 5.2.0 , < 5.2.11 (semver)
    Affected: 5.3.0 , < 5.3.8 (semver)
    Affected: 5.4.0 , < 5.4.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Danial Mahadzir
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33612",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T13:35:24.220350Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-349",
                    "description": "CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T13:35:27.649Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "Zone to cache"
              ],
              "packageName": "pdns-recursor",
              "product": "Recursor",
              "programFiles": [
                "rec-zonetocache.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "5.2.11",
                  "status": "affected",
                  "version": "5.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.3.8",
                  "status": "affected",
                  "version": "5.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.4.3",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Danial Mahadzir"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.\u003c/p\u003e"
                }
              ],
              "value": "A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Acceptance of Extraneous Untrusted Data With Trusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:58:27.132Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "ZoneToCache can poison the cache",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-33612",
        "datePublished": "2026-06-25T12:58:27.132Z",
        "dateReserved": "2026-03-23T12:58:38.267Z",
        "dateUpdated": "2026-06-25T13:35:27.649Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42005 (GCVE-0-2026-42005)

    Vulnerability from nvd – Published: 2026-06-25 11:57 – Updated: 2026-06-25 13:04
    VLAI
    Title
    Insufficient input validation of internal web server
    Summary
    An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Allocation of Resources Without Limits or Throttling
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Authoritative Affected: 4.9.0 , < 4.9.16 (semver)
    Affected: 5.0.0 , < 5.0.6 (semver)
    Affected: 5.1.0 , < 5.1.2 (semver)
    Create a notification for this product.
    Date Public
    2026-06-10 22:00
    Credits
    ilya rozentsvaig
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42005",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T13:03:44.259390Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T13:04:12.854Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "YaHTTP"
              ],
              "packageName": "pdns",
              "product": "Authoritative",
              "programFiles": [
                "ext/yahttp/yahttp/reqresp.cpp"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "4.9.16",
                  "status": "affected",
                  "version": "4.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.0.6",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.1.2",
                  "status": "affected",
                  "version": "5.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ilya rozentsvaig"
            }
          ],
          "datePublic": "2026-06-10T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An attacker can send a web request that causes unlimited memory \nallocation in the internal web server, leading to a denial of service. \nThe internal web server is disabled by default."
                }
              ],
              "value": "An attacker can send a web request that causes unlimited memory \nallocation in the internal web server, leading to a denial of service. \nThe internal web server is disabled by default."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T11:57:16.346Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-07.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Insufficient input validation of internal web server",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-42005",
        "datePublished": "2026-06-25T11:57:16.346Z",
        "dateReserved": "2026-04-23T11:15:21.199Z",
        "dateUpdated": "2026-06-25T13:04:12.854Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42396 (GCVE-0-2026-42396)

    Vulnerability from nvd – Published: 2026-05-21 09:25 – Updated: 2026-05-21 12:03
    VLAI
    Title
    Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
    Summary
    Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Control of Generation of Code ('Code Injection')
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Authoritative Affected: 4.9.0 , < 4.9.15 (semver)
    Affected: 5.0.0 , < 5.0.5 (semver)
    Create a notification for this product.
    Date Public
    2026-05-19 22:00
    Credits
    ilhamaf
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42396",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T12:03:13.589644Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-94",
                    "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T12:03:16.000Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "Catalog Zones"
              ],
              "packageName": "pdns",
              "product": "Authoritative",
              "programFiles": [
                "auth-catalogzone.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "4.9.15",
                  "status": "affected",
                  "version": "4.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.0.5",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ilhamaf"
            }
          ],
          "datePublic": "2026-05-19T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eInsufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail\u003c/p\u003e"
                }
              ],
              "value": "Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-21T09:25:03.315Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-06.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-42396",
        "datePublished": "2026-05-21T09:25:03.315Z",
        "dateReserved": "2026-04-27T08:53:58.839Z",
        "dateUpdated": "2026-05-21T12:03:16.000Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42002 (GCVE-0-2026-42002)

    Vulnerability from nvd – Published: 2026-05-21 09:27 – Updated: 2026-05-21 11:59
    VLAI
    Title
    Concurrency and locking defects in GSS-TSIG
    Summary
    Concurrency and locking defects in GSS-TSIG
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Signal Handler Race Condition
    • CWE-364 - Signal Handler Race Condition
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Authoritative Affected: 4.9.0 , < 4.9.15 (semver)
    Affected: 5.0.0 , < 5.0.5 (semver)
    Create a notification for this product.
    Date Public
    2026-05-19 22:00
    Credits
    thanos_haruki
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42002",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-21T11:58:57.204166Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-364",
                    "description": "CWE-364 Signal Handler Race Condition",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-21T11:59:46.710Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "GSS-TSIG"
              ],
              "packageName": "pdns",
              "product": "Authoritative",
              "programFiles": [
                "gss_context.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "4.9.15",
                  "status": "affected",
                  "version": "4.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.0.5",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "thanos_haruki"
            }
          ],
          "datePublic": "2026-05-19T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eConcurrency and locking defects in GSS-TSIG\u003c/p\u003e"
                }
              ],
              "value": "Concurrency and locking defects in GSS-TSIG"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Signal Handler Race Condition",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-21T09:27:04.431Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-06.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Concurrency and locking defects in GSS-TSIG",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-42002",
        "datePublished": "2026-05-21T09:27:04.431Z",
        "dateReserved": "2026-04-23T11:15:21.198Z",
        "dateUpdated": "2026-05-21T11:59:46.710Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42389 (GCVE-0-2026-42389)

    Vulnerability from cvelistv5 – Published: 2026-06-25 13:16 – Updated: 2026-06-25 14:58
    VLAI
    Title
    Reject more queries with invalid header values
    Summary
    This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Input Validation
    • CWE-20 - Improper Input Validation
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Recursor Affected: 5.4.0 , < 5.4.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Xiang Li, Mingming Zhang, Fasheng Miao, Zuyao Xu from AOSP Lab, Nankai University, Zhongguancun Lab, Tsinghua University
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42389",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T14:58:11.587235Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-20",
                    "description": "CWE-20 Improper Input Validation",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T14:58:17.088Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "Web Server"
              ],
              "packageName": "pdns-recursor",
              "product": "Recursor",
              "programFiles": [
                "pdns_recursor.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "5.4.3",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Xiang Li, Mingming Zhang, Fasheng Miao, Zuyao Xu from AOSP Lab, Nankai University, Zhongguancun Lab, Tsinghua University"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThis fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.\u003c/p\u003e"
                }
              ],
              "value": "This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T13:16:45.245Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Reject more queries with invalid header values",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-42389",
        "datePublished": "2026-06-25T13:16:45.245Z",
        "dateReserved": "2026-04-27T08:53:58.839Z",
        "dateUpdated": "2026-06-25T14:58:17.088Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-52690 (GCVE-0-2026-52690)

    Vulnerability from cvelistv5 – Published: 2026-06-25 13:01 – Updated: 2026-06-25 14:21
    VLAI
    Title
    Spoofed answers can mark an authoritative non-EDNS capable
    Summary
    Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Authentication Bypass by Spoofing
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Recursor Affected: 5.2.0 , < 5.2.11 (semver)
    Affected: 5.3.0 , < 5.3.8 (semver)
    Affected: 5.4.0 , < 5.4.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Mehtab Zafar
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-52690",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T14:21:31.973756Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-290",
                    "description": "CWE-290 Authentication Bypass by Spoofing",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T14:21:36.692Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "Outgoing EDNS handling"
              ],
              "packageName": "pdns-recursor",
              "product": "Recursor",
              "programFiles": [
                "syncres.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "5.2.11",
                  "status": "affected",
                  "version": "5.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.3.8",
                  "status": "affected",
                  "version": "5.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.4.3",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mehtab Zafar"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eSpoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.\u003c/p\u003e"
                }
              ],
              "value": "Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T13:01:40.347Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Spoofed answers can mark an authoritative non-EDNS capable",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-52690",
        "datePublished": "2026-06-25T13:01:40.347Z",
        "dateReserved": "2026-06-08T08:05:31.708Z",
        "dateUpdated": "2026-06-25T14:21:36.692Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42390 (GCVE-0-2026-42390)

    Vulnerability from cvelistv5 – Published: 2026-06-25 13:01 – Updated: 2026-06-25 14:25
    VLAI
    Title
    ZONEMD validation can be bypassed
    Summary
    An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Input Validation
    • CWE-20 - Improper Input Validation
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Recursor Affected: 5.4.0 , < 5.4.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Vitaly Simonovich
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42390",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T14:25:32.947074Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-20",
                    "description": "CWE-20 Improper Input Validation",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T14:25:44.416Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "ZoneMD"
              ],
              "packageName": "pdns-recursor",
              "product": "Recursor",
              "programFiles": [
                "zonemd.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "5.4.3",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vitaly Simonovich"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.\u003c/p\u003e"
                }
              ],
              "value": "An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T13:01:08.394Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "ZONEMD validation can be bypassed",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-42390",
        "datePublished": "2026-06-25T13:01:08.394Z",
        "dateReserved": "2026-04-27T08:53:58.839Z",
        "dateUpdated": "2026-06-25T14:25:44.416Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42388 (GCVE-0-2026-42388)

    Vulnerability from cvelistv5 – Published: 2026-06-25 12:59 – Updated: 2026-06-25 14:42
    VLAI
    Title
    Missing input validation for catalog zones
    Summary
    Incomplete validation of the SOA record present in a catalog zone might lead to a crash.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Input Validation
    • CWE-20 - Improper Input Validation
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Recursor Affected: 5.2.0 , < 5.2.11 (semver)
    Affected: 5.3.0 , < 5.3.8 (semver)
    Affected: 5.4.0 , < 5.4.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    ylwango613
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42388",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T14:42:11.248693Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-20",
                    "description": "CWE-20 Improper Input Validation",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T14:42:18.369Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "Catalog Zones"
              ],
              "packageName": "pdns-recursor",
              "product": "Recursor",
              "programFiles": [
                "rec-xfr.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "5.2.11",
                  "status": "affected",
                  "version": "5.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.3.8",
                  "status": "affected",
                  "version": "5.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.4.3",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ylwango613"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIncomplete validation of the SOA record present in a catalog zone might lead to a crash.\u003c/p\u003e"
                }
              ],
              "value": "Incomplete validation of the SOA record present in a catalog zone might lead to a crash."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:59:38.192Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing input validation for catalog zones",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-42388",
        "datePublished": "2026-06-25T12:59:38.192Z",
        "dateReserved": "2026-04-27T08:53:58.839Z",
        "dateUpdated": "2026-06-25T14:42:18.369Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42387 (GCVE-0-2026-42387)

    Vulnerability from cvelistv5 – Published: 2026-06-25 12:59 – Updated: 2026-06-25 14:41
    VLAI
    Title
    Insufficient input validation in ZoneToCache
    Summary
    A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Input Validation
    • CWE-20 - Improper Input Validation
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Recursor Affected: 5.2.0 , < 5.2.11 (semver)
    Affected: 5.3.0 , < 5.3.8 (semver)
    Affected: 5.4.0 , < 5.4.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    nurmukhammyed
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42387",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T14:41:19.840992Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-20",
                    "description": "CWE-20 Improper Input Validation",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T14:41:46.920Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "Zone to cache"
              ],
              "packageName": "pdns-recursor",
              "product": "Recursor",
              "programFiles": [
                "zonemd.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "5.2.11",
                  "status": "affected",
                  "version": "5.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.3.8",
                  "status": "affected",
                  "version": "5.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.4.3",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "nurmukhammyed"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation.\u003c/p\u003e"
                }
              ],
              "value": "A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:59:16.813Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Insufficient input validation in ZoneToCache",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-42387",
        "datePublished": "2026-06-25T12:59:16.813Z",
        "dateReserved": "2026-04-27T08:53:58.838Z",
        "dateUpdated": "2026-06-25T14:41:46.920Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40012 (GCVE-0-2026-40012)

    Vulnerability from cvelistv5 – Published: 2026-06-25 12:58 – Updated: 2026-06-25 14:41
    VLAI
    Title
    Information about ECS zero scoped answers might leak to clients that use a specific ECS
    Summary
    ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Exposure of Resource to Wrong Sphere
    • CWE-524 - Use of Cache Containing Sensitive Information
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Recursor Affected: 5.2.0 , < 5.2.11 (semver)
    Affected: 5.3.0 , < 5.3.8 (semver)
    Affected: 5.4.0 , < 5.4.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Danial Mahadzir
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40012",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T14:40:29.990781Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-524",
                    "description": "CWE-524 Use of Cache Containing Sensitive Information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T14:41:00.796Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "EDNS Client Subnet processing"
              ],
              "packageName": "pdns-recursor",
              "product": "Recursor",
              "programFiles": [
                "pdns_recursor.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "5.2.11",
                  "status": "affected",
                  "version": "5.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.3.8",
                  "status": "affected",
                  "version": "5.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.4.3",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Danial Mahadzir"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;\u003c/p\u003e"
                }
              ],
              "value": "ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Exposure of Resource to Wrong Sphere",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:58:51.987Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Information about ECS zero scoped answers might leak to clients that use a specific ECS",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-40012",
        "datePublished": "2026-06-25T12:58:51.987Z",
        "dateReserved": "2026-04-08T09:59:59.342Z",
        "dateUpdated": "2026-06-25T14:41:00.796Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33612 (GCVE-0-2026-33612)

    Vulnerability from cvelistv5 – Published: 2026-06-25 12:58 – Updated: 2026-06-25 13:35
    VLAI
    Title
    ZoneToCache can poison the cache
    Summary
    A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Acceptance of Extraneous Untrusted Data With Trusted Data
    • CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Recursor Affected: 5.2.0 , < 5.2.11 (semver)
    Affected: 5.3.0 , < 5.3.8 (semver)
    Affected: 5.4.0 , < 5.4.3 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Danial Mahadzir
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33612",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T13:35:24.220350Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-349",
                    "description": "CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T13:35:27.649Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "Zone to cache"
              ],
              "packageName": "pdns-recursor",
              "product": "Recursor",
              "programFiles": [
                "rec-zonetocache.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "5.2.11",
                  "status": "affected",
                  "version": "5.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.3.8",
                  "status": "affected",
                  "version": "5.3.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.4.3",
                  "status": "affected",
                  "version": "5.4.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Danial Mahadzir"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.\u003c/p\u003e"
                }
              ],
              "value": "A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Acceptance of Extraneous Untrusted Data With Trusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:58:27.132Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "ZoneToCache can poison the cache",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-33612",
        "datePublished": "2026-06-25T12:58:27.132Z",
        "dateReserved": "2026-03-23T12:58:38.267Z",
        "dateUpdated": "2026-06-25T13:35:27.649Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42004 (GCVE-0-2026-42004)

    Vulnerability from cvelistv5 – Published: 2026-06-25 12:24 – Updated: 2026-06-25 13:44
    VLAI
    Title
    EDNS options smuggling
    Summary
    An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Misinterpretation of Input
    • CWE-115 - Misinterpretation of Input
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS DNSdist Affected: 1.9.0 , < 1.9.15 (semver)
    Affected: 2.0.0 , < 2.0.7 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Vitaly Simonovich
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42004",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T13:44:02.980438Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-115",
                    "description": "CWE-115 Misinterpretation of Input",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T13:44:07.962Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "EDNS processing"
              ],
              "packageName": "dnsdist",
              "product": "DNSdist",
              "programFiles": [
                "dnsdist-ecs.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "1.9.15",
                  "status": "affected",
                  "version": "1.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vitaly Simonovich"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn attacker can send a crafted EDNS OPT record that will be ignored by DNSdist\u2019s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.\u003c/p\u003e"
                }
              ],
              "value": "An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist\u2019s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Misinterpretation of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:24:20.140Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "EDNS options smuggling",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-42004",
        "datePublished": "2026-06-25T12:24:20.140Z",
        "dateReserved": "2026-04-23T11:15:21.198Z",
        "dateUpdated": "2026-06-25T13:44:07.962Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40211 (GCVE-0-2026-40211)

    Vulnerability from cvelistv5 – Published: 2026-06-25 12:23 – Updated: 2026-06-25 13:45
    VLAI
    Title
    Denial of service via crafted DoH3 queries
    Summary
    An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Allocation of Resources Without Limits or Throttling
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS DNSdist Affected: 1.9.0 , < 1.9.15 (semver)
    Affected: 2.0.0 , < 2.0.7 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Mehtab Zafar
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40211",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T13:44:56.582604Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T13:45:02.430Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "DNS over HTTP3"
              ],
              "packageName": "dnsdist",
              "product": "DNSdist",
              "programFiles": [
                "dnsdist-crypto.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "1.9.15",
                  "status": "affected",
                  "version": "1.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mehtab Zafar"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.\u003c/p\u003e"
                }
              ],
              "value": "An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:23:55.585Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Denial of service via crafted DoH3 queries",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-40211",
        "datePublished": "2026-06-25T12:23:55.585Z",
        "dateReserved": "2026-04-10T07:11:39.060Z",
        "dateUpdated": "2026-06-25T13:45:02.430Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40210 (GCVE-0-2026-40210)

    Vulnerability from cvelistv5 – Published: 2026-06-25 12:23 – Updated: 2026-06-25 13:49
    VLAI
    Title
    Out-of-bounds read in SetMacAddrAction
    Summary
    An out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Buffer Over-read
    • CWE-126 - Buffer Over-read
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS DNSdist Affected: 1.9.0 , < 1.9.15 (semver)
    Affected: 2.0.0 , < 2.0.7 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Qifan Zhang (Palo Alto Networks)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40210",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T13:49:25.851878Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-126",
                    "description": "CWE-126 Buffer Over-read",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T13:49:35.668Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "SetMacAddrAction"
              ],
              "packageName": "dnsdist",
              "product": "DNSdist",
              "programFiles": [
                "dnsdist-actions-factory.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "1.9.15",
                  "status": "affected",
                  "version": "1.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Qifan Zhang (Palo Alto Networks)"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash.\u003c/p\u003e"
                }
              ],
              "value": "An out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Buffer Over-read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:23:31.623Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Out-of-bounds read in SetMacAddrAction",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-40210",
        "datePublished": "2026-06-25T12:23:31.623Z",
        "dateReserved": "2026-04-10T07:11:39.060Z",
        "dateUpdated": "2026-06-25T13:49:35.668Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40209 (GCVE-0-2026-40209)

    Vulnerability from cvelistv5 – Published: 2026-06-25 12:23 – Updated: 2026-06-25 13:56
    VLAI
    Title
    Denial of service via IXFR queries
    Summary
    An attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately, by sending IXFR queries. This could be used to cause a denial of service if there is a limit to the number of concurrent connections to this backend, or if the process runs out of file descriptors.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Missing Release of Resource after Effective Lifetime
    • CWE-772 - Missing Release of Resource after Effective Lifetime
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS DNSdist Affected: 1.9.0 , < 1.9.15 (semver)
    Affected: 2.0.0 , < 2.0.7 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Qifan Zhang (Palo Alto Networks)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40209",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T13:56:17.791790Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-772",
                    "description": "CWE-772 Missing Release of Resource after Effective Lifetime",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T13:56:22.793Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "DNS over TCP to the backend"
              ],
              "packageName": "dnsdist",
              "product": "DNSdist",
              "programFiles": [
                "dnsdist-tcp-downstream.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "1.9.15",
                  "status": "affected",
                  "version": "1.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Qifan Zhang (Palo Alto Networks)"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately, by sending IXFR queries. This could be used to cause a denial of service if there is a limit to the number of concurrent connections to this backend, or if the process runs out of file descriptors.\u003c/p\u003e"
                }
              ],
              "value": "An attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately, by sending IXFR queries. This could be used to cause a denial of service if there is a limit to the number of concurrent connections to this backend, or if the process runs out of file descriptors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Missing Release of Resource after Effective Lifetime",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:23:05.694Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Denial of service via IXFR queries",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-40209",
        "datePublished": "2026-06-25T12:23:05.694Z",
        "dateReserved": "2026-04-10T07:11:39.060Z",
        "dateUpdated": "2026-06-25T13:56:22.793Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40208 (GCVE-0-2026-40208)

    Vulnerability from cvelistv5 – Published: 2026-06-25 12:22 – Updated: 2026-06-25 13:24
    VLAI
    Title
    Denial of service via DoH3 queries
    Summary
    An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Incorrect Control Flow Scoping
    • CWE-705 - Incorrect Control Flow Scoping
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS DNSdist Affected: 1.9.0 , < 1.9.15 (semver)
    Affected: 2.0.0 , < 2.0.7 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    ylwango613
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40208",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T13:24:51.405029Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-705",
                    "description": "CWE-705 Incorrect Control Flow Scoping",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T13:24:55.798Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "DNS over HTTP3"
              ],
              "packageName": "dnsdist",
              "product": "DNSdist",
              "programFiles": [
                "doh3.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "1.9.15",
                  "status": "affected",
                  "version": "1.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ylwango613"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.\u003c/p\u003e"
                }
              ],
              "value": "An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Incorrect Control Flow Scoping",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:22:42.722Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Denial of service via DoH3 queries",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-40208",
        "datePublished": "2026-06-25T12:22:42.722Z",
        "dateReserved": "2026-04-10T07:11:39.060Z",
        "dateUpdated": "2026-06-25T13:24:55.798Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40011 (GCVE-0-2026-40011)

    Vulnerability from cvelistv5 – Published: 2026-06-25 12:22 – Updated: 2026-06-25 13:23
    VLAI
    Title
    Prometheus denial of service via crafted DNS queries
    Summary
    An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Encoding or Escaping of Output
    • CWE-116 - Improper Encoding or Escaping of Output
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS DNSdist Affected: 1.9.0 , < 1.9.15 (semver)
    Affected: 2.0.0 , < 2.0.7 (semver)
    Create a notification for this product.
    Date Public
    2026-06-24 22:00
    Credits
    Haruki Oyama (Waseda University)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40011",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T13:23:09.989984Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-116",
                    "description": "CWE-116 Improper Encoding or Escaping of Output",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T13:23:46.840Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "Prometheus export"
              ],
              "packageName": "dnsdist",
              "product": "DNSdist",
              "programFiles": [
                "dnsdist-web.cc"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "1.9.15",
                  "status": "affected",
                  "version": "1.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2.0.7",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Haruki Oyama (Waseda University)"
            }
          ],
          "datePublic": "2026-06-24T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eAn attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires.\u003c/p\u003e"
                }
              ],
              "value": "An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Encoding or Escaping of Output",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T12:22:19.248Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Prometheus denial of service via crafted DNS queries",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-40011",
        "datePublished": "2026-06-25T12:22:19.248Z",
        "dateReserved": "2026-04-08T09:59:59.341Z",
        "dateUpdated": "2026-06-25T13:23:46.840Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42005 (GCVE-0-2026-42005)

    Vulnerability from cvelistv5 – Published: 2026-06-25 11:57 – Updated: 2026-06-25 13:04
    VLAI
    Title
    Insufficient input validation of internal web server
    Summary
    An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Allocation of Resources Without Limits or Throttling
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    OX
    Impacted products
    Vendor Product Version
    PowerDNS Authoritative Affected: 4.9.0 , < 4.9.16 (semver)
    Affected: 5.0.0 , < 5.0.6 (semver)
    Affected: 5.1.0 , < 5.1.2 (semver)
    Create a notification for this product.
    Date Public
    2026-06-10 22:00
    Credits
    ilya rozentsvaig
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42005",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-25T13:03:44.259390Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-25T13:04:12.854Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://repo.powerdns.com/",
              "defaultStatus": "unaffected",
              "modules": [
                "YaHTTP"
              ],
              "packageName": "pdns",
              "product": "Authoritative",
              "programFiles": [
                "ext/yahttp/yahttp/reqresp.cpp"
              ],
              "repo": "https://github.com/PowerDNS/pdns",
              "vendor": "PowerDNS",
              "versions": [
                {
                  "lessThan": "4.9.16",
                  "status": "affected",
                  "version": "4.9.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.0.6",
                  "status": "affected",
                  "version": "5.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "5.1.2",
                  "status": "affected",
                  "version": "5.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ilya rozentsvaig"
            }
          ],
          "datePublic": "2026-06-10T22:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An attacker can send a web request that causes unlimited memory \nallocation in the internal web server, leading to a denial of service. \nThe internal web server is disabled by default."
                }
              ],
              "value": "An attacker can send a web request that causes unlimited memory \nallocation in the internal web server, leading to a denial of service. \nThe internal web server is disabled by default."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-25T11:57:16.346Z",
            "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
            "shortName": "OX"
          },
          "references": [
            {
              "url": "https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-07.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Insufficient input validation of internal web server",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "assignerShortName": "OX",
        "cveId": "CVE-2026-42005",
        "datePublished": "2026-06-25T11:57:16.346Z",
        "dateReserved": "2026-04-23T11:15:21.199Z",
        "dateUpdated": "2026-06-25T13:04:12.854Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }