Plattform
javascript
Komponente
pi-hole/web
Behoben in
6.0.1
CVE-2026-33404 is a Cross-Site Scripting (XSS) vulnerability affecting the Pi-hole Admin Interface, the web interface for managing the Pi-hole network ad blocker. This vulnerability allows an attacker to inject malicious scripts into the web interface, potentially leading to unauthorized access or data theft. The vulnerability impacts Pi-hole versions 6.0.0 through 6.4.9, and a patch is available in version 6.5.0.
An attacker could exploit this XSS vulnerability by crafting a malicious payload that is then executed in the context of another user's browser session. This could allow the attacker to steal session cookies, redirect users to phishing sites, or even modify the appearance of the Pi-hole web interface. The impact is limited to users accessing the web interface and depends on the attacker's ability to inject and execute the malicious script. Successful exploitation could compromise the confidentiality and integrity of user data and the Pi-hole administration interface.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low probability of immediate widespread exploitation. The vulnerability was disclosed on 2026-04-06, and the fix was released shortly thereafter.
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33404 is to upgrade Pi-hole to version 6.5.0 or later, which includes the necessary output escaping fixes. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious input in the network.js and charts.js/index.js files. Carefully review any custom scripts or modifications made to the Pi-hole web interface to ensure they do not introduce similar vulnerabilities. After upgrading, confirm the fix by verifying that client hostnames and IP addresses are properly escaped when displayed in the Network and Dashboard pages.
Actualice la interfaz web de Pi-hole a la versión 6.5 o superior para mitigar la vulnerabilidad de XSS. Esta actualización escapa correctamente los datos de entrada, previniendo la inyección de código malicioso en la página de red y las sugerencias de herramientas del gráfico del panel de control.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Pi-hole is an open-source DNS server and network-level ad blocker.
Updating Pi-hole ensures that the latest security patches are applied, protecting your network from vulnerabilities like CVE-2026-33404.
You can update Pi-hole using the pihole -up command in the command line or through the Pi-hole web admin interface.
Change Pi-hole and any related account passwords, review Pi-hole logs for suspicious activity, and consider reinstalling Pi-hole from scratch.
While not a complete solution, you can limit access to the Pi-hole web interface and restrict the IP addresses that can access it.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.