Platform
javascript
Component
pi-hole/web
Fixed in
6.0.1
CVE-2026-33406 is a vulnerability affecting the Pi-hole Admin Interface, the web interface for managing the Pi-hole network ad blocker. This flaw allows for HTML attribute injection, potentially enabling UI redressing attacks by altering element styling. The vulnerability impacts versions 6.0.0 through 6.4.99. A patch is available in version 6.5.0.
CVE-2026-33406 affects the Pi-hole web interface, a network-level ad and internet tracker blocking application. From versions 6.0 up to, but not including, 6.5, configuration values retrieved from the /api/config endpoint are placed directly into HTML 'value=' attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. While JavaScript execution is blocked by the server's Content Security Policy (CSP) (script-src 'self'), injected attributes can be used to manipulate the page's behavior, though arbitrary code execution is unlikely. This vulnerability could allow an attacker to modify the appearance or behavior of the Pi-hole admin interface, potentially deceiving users or altering settings.
An attacker with access to the Pi-hole web interface (e.g., through a compromised local network or if the web interface is publicly exposed without adequate protections) could exploit this vulnerability. The attacker could inject malicious HTML attributes into configuration values, potentially resulting in manipulation of the admin interface. Although JavaScript execution is blocked, attribute injection can be used to perform phishing attacks or alter the presentation of information, confusing administrators. The severity of the vulnerability is considered moderate due to the restrictions imposed by the CSP, but the possibility of interface manipulation justifies the update.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The fix for this vulnerability is to upgrade Pi-hole to version 6.5.0 or later. This version includes fixes that properly escape configuration values before inserting them into HTML attributes, mitigating the risk of attribute injection. It is highly recommended to update Pi-hole as soon as possible to protect your network from potential attacks. Regularly check for Pi-hole updates and apply them promptly. Updating is the most effective way to address this vulnerability and maintain the security of your Pi-hole system.
Update the Pi-hole web interface to version 6.5 or higher to mitigate the HTML attribute injection vulnerability. This update corrects the issue by properly escaping configuration values in the settings-advanced.js file, preventing user interface manipulation.
Vulnerability analysis and critical alerts directly to your inbox.
Pi-hole is an open-source software that functions as a DNS server and network-level ad and tracker blocker.
It's an attack technique that allows an attacker to insert malicious HTML code into a web page, which can alter its appearance or behavior.
Although arbitrary code execution is unlikely, the vulnerability could allow an attacker to manipulate the Pi-hole admin interface, potentially leading to confusion or alteration of settings.
If you cannot update immediately, ensure the Pi-hole web interface is protected with a strong password and is only accessible from a trusted local network.
You can find more information about CVE-2026-33406 in vulnerability databases, such as the National Vulnerability Database (NVD).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.