CVE-2026-33405 - Vulnerability Details

- Pi-hole has a Stored HTML Injection in queries.js

Description

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5.

Published: 2026-04-06

Score: 3.1 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Pi‑hole Admin Interface contains a stored HTML injection flaw. When a query log entry is expanded, the formatInfo() function inserts the upstream, client IP, and query text directly into the page without escaping, allowing an attacker to embed custom HTML markup. The injected markup cannot execute JavaScript because the server enforces a Content Security Policy that permits only scripts from the same origin, so the attack surface is limited to UI manipulation and potential phishing. This issue is identified as a CWE‑79 problem.

Affected Systems

The vulnerability affects Pi‑hole web interface versions 6.0 through 6.4 inclusive. Versions 6.5 and later include a fix that properly escapes the rendered fields. The affected vendor and product are listed as pi‑hole:web in the CNA data.

Risk and Exploitability

The CVSS base score of 3.1 indicates low severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The description does not state whether authentication is required, so it is unknown if an attacker needs administrative privileges. Since the Query Log is normally accessed by administrators, the flaw could be limited to users with such access. Even with the server-enforced CSP, the vulnerability still permits arbitrary HTML insertion, which can be used for social engineering or UI spoofing, but the overall risk is considered moderate and unlikely to be widely exploited at present.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pi-hole

web

affected

Version	Status	Constraints
`>= 6.0, < 6.5`	affected	—

No data.

Vendor Product Confidence Versions

Pi-hole

Web

100%

Version	Status	Scheme	Platform
`[6.0,6.5)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Pi‑hole to version 6.5 or later, ensuring the admin interface reflects the patched code.
After upgrading, verify that expanding a query log entry no longer displays raw HTML by checking for unexpected markup.
If an immediate upgrade is not possible, restrict access to the Query Log page to administrators only and avoid using the expanded view until a patch is applied.

Generated by OpenCVE AI on April 6, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq

History

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pi-hole Pi-hole web
Vendors & Products		Pi-hole Pi-hole web

Mon, 06 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 06 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5.
Title		Pi-hole has a Stored HTML Injection in queries.js
Weaknesses		CWE-79
References		https://github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq
Metrics		cvssV3_1 `{'score': 3.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N'}`

Subscriptions

Pi-hole Web

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-06T15:23:32.750Z

Updated: 2026-04-06T18:37:49.276Z

Reserved: 2026-03-19T17:02:34.170Z

Link: CVE-2026-33405

Vulnrichment

Updated: 2026-04-06T18:37:43.235Z

NVD

Status : Undergoing Analysis

Published: 2026-04-06T16:16:33.610

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-33405

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-06T21:32:18Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object