CVE-2026-33404

LOW

Pi-hole Web 6.0-6.4.1 Network Dashboard - Stored HTML Injection

Title source: manual

Description

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v

Scores

CVSS v3 3.4

EPSS 0.0014

EPSS Percentile 4.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

pi-hole/web >= 6.0, < 6.5

pi-hole/web_interface 6.0 - 6.4.1

Published Apr 06, 2026

Tracked Since Apr 06, 2026