Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.
Published: 2026-04-06
Score: 3.4 Low
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Pi‑hole Admin Interface allows hostnames and IP addresses entered through DHCP or DNS to be displayed on the Network page and Dashboard without proper escaping. As a result, an attacker can embed malicious script or HTML fragments in those values, which the browser will execute when any user views the affected pages, enabling credential theft, defacement, or further compromise within the admin session.

Affected Systems

Versions of Pi‑hole from 6.0 up to, but not including, 6.5 are affected. The vulnerability resides in the web interface component that renders the FTL database entries for network hosts.

Risk and Exploitability

The CVSS score of 3.4 indicates moderate impact. No publicly available exploit or widespread attacks are documented. Attackers would need to insert malicious hostnames or IP addresses into the network database, typically achievable by controlling the local DHCP/DNS infrastructure. If the admin interface is reachable from the broader internet, the exposure increases, but the risk remains moderate unless accessed by untrusted users.

Generated by OpenCVE AI on April 6, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pi‑hole to version 6.5 or later
  • Remove any previously injected hostnames or IP addresses from the FTL database
  • Restrict access to the Pi‑hole admin interface to trusted users or protect it behind a firewall

Generated by OpenCVE AI on April 6, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Pi-hole
Pi-hole web
Vendors & Products Pi-hole
Pi-hole web

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.
Title Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 3.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Pi-hole Web
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T18:39:53.011Z

Reserved: 2026-03-19T17:02:34.170Z

Link: CVE-2026-33404

cve-icon Vulnrichment

Updated: 2026-04-06T18:39:46.611Z

cve-icon NVD

Status : Received

Published: 2026-04-06T15:17:10.473

Modified: 2026-04-06T15:17:10.473

Link: CVE-2026-33404

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:32:35Z

Weaknesses