NEXTGUARD
UNKNOWNCVE-2026-33406

Pi-hole has a Stored HTML attribute injection

Platform

javascript

Component

pi-hole/web

Fixed in

6.5.0

View on NVD

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5.

How to fix

Actualice la interfaz web de Pi-hole a la versión 6.5 o posterior para mitigar la vulnerabilidad de inyección de atributos HTML almacenados. Esta actualización corrige el problema al escapar correctamente los valores de configuración en el archivo settings-advanced.js, previniendo la manipulación de la interfaz de usuario.

Monitor your dependencies automatically

Get notified when new vulnerabilities affect your projects. Free forever.

Start free
CVE-2026-33406 — Vulnerability Details | NextGuard | NextGuard