https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html reports:
- CVE-2026-0396: HTML injection in the web dashboard
- CVE-2026-0397: Information disclosure via CORS misconfiguration
- CVE-2026-24028: Out-of-bounds read when parsing DNS packets via Lua
- CVE-2026-24029: DNS over HTTPS ACL bypass
- CVE-2026-24030: Unbounded memory allocation for DoQ and DoH3
- CVE-2026-27853: Out-of-bounds write when rewriting large DNS packets
- CVE-2026-27854: Use after free when parsing EDNS options in Lua