Platform
javascript
Component
pi-hole/web
Fixed in
6.0.1
CVE-2026-33404 is a Cross-Site Scripting (XSS) vulnerability affecting the Pi-hole Admin Interface, the web interface for managing the Pi-hole network ad blocker. This vulnerability allows an attacker to inject malicious scripts into the web interface, potentially leading to unauthorized access or data theft. The vulnerability impacts Pi-hole versions 6.0.0 through 6.4.9, and a patch is available in version 6.5.0.
CVE-2026-33404 in the Pi-hole Admin Interface allows an attacker to inject malicious HTML code into the network and dashboard chart tooltips pages. This occurs because client hostnames and IP addresses pulled from the FTL database are rendered into the DOM without proper escaping. While upstream validation in dnsmasq and FTL blocks HTML characters via standard DHCP/DNS paths, the web UI lacks necessary output escaping. An attacker could exploit this to execute malicious scripts in the browser of a user viewing these pages, potentially leading to session cookie theft, redirection to malicious websites, or page content modification.
This vulnerability requires an attacker to have network access where Pi-hole is running and be able to manipulate DHCP/DNS responses to inject malicious data into the FTL database. The attacker does not need to authenticate to the Pi-hole admin interface, as the vulnerability lies in how data is displayed on the frontend. The likelihood of exploitation depends on network configuration and Pi-hole's exposure to external attacks. Severity is considered moderate due to the potential impact on user data confidentiality and integrity.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The fix for this vulnerability is to update Pi-hole to version 6.5.0 or later. This version includes the necessary fixes to properly escape data before rendering it in the DOM, mitigating the risk of HTML injection. It is highly recommended to update Pi-hole as soon as possible to protect your network from potential attacks. Additionally, regularly review Pi-hole logs for suspicious activity and keep your underlying operating system software updated to improve overall security.
Update the Pi-hole web interface to version 6.5 or higher to mitigate the XSS vulnerability. This update correctly escapes input data, preventing the injection of malicious code in the network page and dashboard chart tooltips.
Vulnerability analysis and critical alerts directly to your inbox.
Pi-hole is an open-source DNS server and network-level ad blocker.
Updating Pi-hole ensures that the latest security patches are applied, protecting your network from vulnerabilities like CVE-2026-33404.
You can update Pi-hole using the pihole -up command in the command line or through the Pi-hole web admin interface.
Change Pi-hole and any related account passwords, review Pi-hole logs for suspicious activity, and consider reinstalling Pi-hole from scratch.
While not a complete solution, you can limit access to the Pi-hole web interface and restrict the IP addresses that can access it.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.