CVE-2026-33404
Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard
CVSS Score
3.4
EPSS Score
0.0%
EPSS Percentile
0th
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping โ an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.
| CWE | CWE-79 |
| Vendor | pi-hole |
| Product | web |
| Published | Apr 6, 2026 |
| Last Updated | Apr 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for pi-hole web
Be the first to know when new low vulnerabilities affecting pi-hole web are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
pi-hole / web
>= 6.0, < 6.5