diff --git a/CHANGELOG.md b/CHANGELOG.md
index 974f3f3..91cf6eb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 ### Deprecated
 ### Security
+- Fixed a DOM-based XSS on the home page: channel/zone/valve names read from the bus were injected into the pool status table via `innerHTML`. They are now set with `textContent` so bus-derived strings can never be parsed as HTML/script.
 
 ## [1.6.0] - 2026-06-16
 ### Changed
diff --git a/main/web_handlers.c b/main/web_handlers.c
index ed387d6..9ad3af9 100644
--- a/main/web_handlers.c
+++ b/main/web_handlers.c
@@ -287,7 +287,9 @@ static esp_err_t home_get_handler(httpd_req_t *req)
         "const tb=document.getElementById('pool-body');"
         "rows.forEach(([k,v])=>{"
         "const tr=document.createElement('tr');"
-        "tr.innerHTML='<th>'+k+'</th><td>'+v+'</td>';"
+        "const th=document.createElement('th');th.textContent=k;"
+        "const td=document.createElement('td');td.textContent=v;"
+        "tr.appendChild(th);tr.appendChild(td);"
         "tb.appendChild(tr);});"
         "document.getElementById('pool-loading').hidden=true;"
         "document.getElementById('pool-table').removeAttribute('hidden');"