CVE-2026-33404

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.

CVSS v3 3.4 LOW

3.4^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.8 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*

History

14 Apr 2026, 19:16

Type	Values Removed	Values Added
First Time		Pi-hole Pi-hole web Interface
CPE		cpe:2.3:a:pi-hole:web_interface::::::::
References	~~() https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v -~~	() https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v - Third Party Advisory

06 Apr 2026, 15:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-06 15:17

Updated : 2026-04-14 19:16

NVD link : CVE-2026-33404

Mitre link : CVE-2026-33404

CVE.ORG link : CVE-2026-33404

JSON object : View

Products Affected

pi-hole

web_interface

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-33404", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.4, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 0.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2026-04-06T15:17:10.473", "references": [{"url": "https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping \u2014 an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5."}], "lastModified": "2026-04-14T19:16:29.567", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F1EA9FF-4B56-41DE-A685-A1B75E6ECEF2", "versionEndIncluding": "6.4.1", "versionStartIncluding": "6.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}