Exploitation Summary
EIP tracks 1 public exploit for CVE-2025-53533. PoCs published by moezbouzayani9. A Nuclei detection template is also available.
AI-analyzed exploit summary This repository contains a functional Python script that demonstrates a reflected XSS vulnerability in Pi-hole's web interface (CVE-2025-53533). The exploit constructs a malicious URL with encoded payloads that trigger when the 404 error page loads, requiring no authentication.
Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions 6.2.1 and earlier are vulnerable to reflected cross-site scripting (XSS) via a malformed URL path. The 404 error page includes the requested path in the class attribute of the body tag without proper sanitization or escaping. An attacker can craft a URL containing an onload attribute that will execute arbitrary JavaScript code in the browser when a victim visits the malicious link. If an attacker sends a crafted pi-hole link to a victim and the victim visits it, attacker-controlled JavaScript code is executed in the browser of the victim. This has been patched in version 6.3.
Exploits (1)
This repository contains a functional Python script that demonstrates a reflected XSS vulnerability in Pi-hole's web interface (CVE-2025-53533). The exploit constructs a malicious URL with encoded payloads that trigger when the 404 error page loads, requiring no authentication.
Nuclei Templates (1)
title:"Pi-hole"
References (1)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N