Pi-hole has a Stored XSS / HTML injection in the...

3.4 / 10

LOW

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Description

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.

Basic Information

ID CVE-2026-33404

Source GitHub_M

Published Apr 6, 2026 at 14:48

Modified Apr 6, 2026 at 18:39

Affected Product

Vendor pi-hole

Product web

Version >= 6.0, < 6.5

Affected Versions pi-hole web >= 6.0, < 6.5

CWE Classification

CWE-79

References

github.com /pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v

{
    "lastseen": "",
    "description": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping \u2014 an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.",
    "published": "2026-04-06T14:48:45.348Z",
    "modified": "2026-04-06T18:39:53.011Z",
    "type": "cve",
    "title": "Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard",
    "source": "GitHub_M",
    "references": "https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v",
    "id": "CVE-2026-33404",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "pi-hole web >= 6.0, < 6.5",
    "sourceHref": "",
    "cvss": {
        "score": 3.4,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "web",
    "version": ">= 6.0, < 6.5",
    "vendor": "pi-hole",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard_CVE-2026-33404