CVE-2026-33405

CVSS Score & Metrics

Base Score

3.1 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N                                    

Vulnerability Description

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5.

Vulnerability Details

Published Date

April 06, 2026

Last Modified

April 09, 2026

CWE ID

CWE-79

Source

NVD

Vendor

pi-hole

Product

web

External References

https://github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment