Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5.
Published: 2026-04-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Attribute injection allows UI manipulation
Action: Patch
AI Analysis

Impact

Pi‑hole’s administrative web interface injects configuration values directly into HTML value attributes without escaping. A double quote in any config value breaks out of the attribute context, enabling arbitrary attribute injection. Because the server’s content‑security‑policy restricts JavaScript execution, the attack is limited to altering element styling for UI redressing, but it does not lead to code execution or data exfiltration.

Affected Systems

The flaw resides in the Pi‑hole web interface component, affecting installations using versions 6.0 through 6.4. The vulnerability stems from the /api/config endpoint and the settings‑advanced.js script that processes the returned values. Version 6.5 and later contain the fix.

Risk and Exploitability

The CVSS base score is 5.4, indicating a moderate severity risk. The EPSS score is below 1 %, suggesting that wide‑scale exploitation is unlikely. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker would need to supply a malicious teleporter backup file, which is imported through the web interface and bypasses per‑field validation. Therefore the attack vector is user‑initiated import, and the impact is restricted to UI manipulation, without compromising confidentiality or integrity.

Generated by OpenCVE AI on April 14, 2026 at 03:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pi‑hole to version 6.5 or later, which removes the issue.
  • Only import backups from trusted sources to avoid malicious configuration values.
  • If upgrading is not immediately possible, restrict backup import to administrative accounts or disable the feature.

Generated by OpenCVE AI on April 14, 2026 at 03:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Pi-hole web Interface
CPEs cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*
Vendors & Products Pi-hole web Interface

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Pi-hole
Pi-hole web
Vendors & Products Pi-hole
Pi-hole web

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5.
Title Pi-hole has a Stored HTML attribute injection
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Pi-hole Web Web Interface
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T14:08:17.918Z

Reserved: 2026-03-19T17:02:34.170Z

Link: CVE-2026-33406

cve-icon Vulnrichment

Updated: 2026-04-07T14:08:13.239Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T15:17:10.627

Modified: 2026-04-14T02:04:17.300

Link: CVE-2026-33406

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:17Z

Weaknesses