CVE-2026-33404 - Vulnerability Details

- Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard

Description

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.

Published: 2026-04-06

Score: 3.4 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker to inject arbitrary HTML and JavaScript into the Pi‑hole Admin Interface. Data such as client hostnames and IP addresses are rendered into the DOM without escaping, creating a stored cross‑site scripting weakness of type CWE‑79. Successful exploitation could lead to session hijacking or malicious code execution within the victim’s browser, potentially compromising sensitive network information.

Affected Systems

This flaw affects the Pi‑hole web interface in versions 6.0 through 6.4. The issue was fixed in release 6.5. Users running any of these versions should verify their installation. The vulnerable components are network.js on the Network page and charts.js/index.js used for dashboard tooltips.

Risk and Exploitability

The CVSS score of 3.4 indicates low severity, and the EPSS probability is below 1 %, suggesting that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is access to the web UI, which is typically limited to local network users or administrators. An attacker would need to deliver malicious input that the application stores and later serves to a logged‑in user, which may require privileged or authenticated access to the admin interface.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pi-hole

web

affected

Version	Status	Constraints
`>= 6.0, < 6.5`	affected	—

Configuration 1 [-]

cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Pi-hole

Web

100%

Version	Status	Scheme	Platform
`[6.0,6.5)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Pi‑hole to version 6.5 or newer to eliminate the unescaped rendering of client data.
If an upgrade cannot be performed immediately, limit access to the admin interface to trusted devices or secure it behind a VPN or firewall to reduce the likelihood of an attacker reaching the vulnerable page.

Generated by OpenCVE AI on April 14, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00025.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v

History

Tue, 14 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pi-hole web Interface
CPEs		cpe:2.3:a:pi-hole:web_interface::::::::
Vendors & Products		Pi-hole web Interface

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pi-hole Pi-hole web
Vendors & Products		Pi-hole Pi-hole web

Mon, 06 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 06 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.
Title		Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard
Weaknesses		CWE-79
References		https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v
Metrics		cvssV3_1 `{'score': 3.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Pi-hole Web Web Interface

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-06T14:48:45.348Z

Updated: 2026-04-06T18:39:53.011Z

Reserved: 2026-03-19T17:02:34.170Z

Link: CVE-2026-33404

Vulnrichment

Updated: 2026-04-06T18:39:46.611Z

NVD

Status : Analyzed

Published: 2026-04-06T15:17:10.473

Modified: 2026-04-14T19:16:29.567

Link: CVE-2026-33404

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object