PowerDNS Team reports:
- CVE-2026-3361: ZoneToCache can poison the cache
- CVE-2026-40012: Information about ECS zero scoped answers might leak to clients that use a specific ECS
- CVE-2026-42005: Unbounded resource consumption in internal webserver
- CVE-2026-42387: Insufficient input validation in ZoneToCache
- CVE-2026-42388: Missing input validation for catalog zones
- CVE-2026-42389: Reject more queries with invalid header values
- CVE-2026-42390: ZONEMD validation can be bypassed
- CVE-2026-52690: Spoofed answers can mark an authoritative non-EDNS capable
Thanks to people below for reporting these vulnerabilities.
- Danial Mahadzir
- ilya rozentsvaig
- Vitaly Simonovich
- ylwango613
- nurmukhammyed
- Mehtab Zafar