Platform
javascript
Component
pi-hole/web
Fixed in
6.0.1
CVE-2026-33405 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Pi-hole Web Interface. This vulnerability arises from improper HTML escaping within the formatInfo() function, specifically when expanding query rows in the Query Log. Attackers can inject malicious HTML, potentially leading to client-side script execution, though the server's Content Security Policy (CSP) mitigates this risk. The vulnerability impacts Pi-hole versions 6.0.0 through 6.4 and is resolved in version 6.5.0.
An attacker exploiting CVE-2026-33405 could inject malicious HTML into the Pi-hole Web Interface's Query Log. While the server-side CSP restricts JavaScript execution, the injected HTML could still be used for phishing attacks, redirecting users to malicious websites, or defacing the Pi-hole admin interface. The impact is primarily limited to the users accessing the Pi-hole web interface, and the CSP significantly reduces the potential for severe client-side attacks. Successful exploitation requires a user to expand a query row containing the malicious HTML, making it a targeted attack rather than a widespread compromise.
CVE-2026-33405 was publicly disclosed on 2026-04-06. Currently, there are no known public proof-of-concept exploits available. The vulnerability's CVSS score is LOW, indicating a relatively low probability of exploitation in the wild. It has not been added to the CISA KEV catalog at the time of writing. The vulnerability's impact is mitigated by the existing CSP, further reducing the likelihood of widespread exploitation.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33405 is to upgrade Pi-hole to version 6.5.0 or later, which includes the necessary HTML escaping fix. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious HTML injected into the Query Log. Specifically, look for patterns involving HTML tags within the data.upstream, data.client.ip, and data.ede.text fields. While a direct workaround is unavailable, careful monitoring of the Query Log for unusual HTML content can provide early detection of potential exploitation attempts. After upgrading, confirm the fix by expanding a query row and verifying that HTML entities are properly escaped.
Update the Pi-hole Admin Interface to version 6.5 or higher to mitigate the stored HTML injection vulnerability. This update corrects the lack of escaping of sensitive data in the formatInfo() function, preventing the execution of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33405 is a stored XSS vulnerability in the Pi-hole Web Interface affecting versions 6.0.0–<6.5. Expanding query rows can allow injection of unescaped HTML, though CSP mitigates script execution.
If you are running Pi-hole versions 6.0.0 through 6.4, you are potentially affected. Upgrade to version 6.5.0 to resolve the vulnerability.
The recommended fix is to upgrade Pi-hole to version 6.5.0 or later. As a temporary workaround, consider implementing a WAF rule to filter potentially malicious HTML.
Currently, there are no known reports of active exploitation of CVE-2026-33405, and no public proof-of-concept exploits are available.
Refer to the official Pi-hole security advisory on their website for detailed information and updates: [https://pi-hole.net/security/](https://pi-hole.net/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.