Description

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.

INFO

Published Date :

2026-04-06T14:48:45.348Z

Last Modified :

2026-04-06T18:39:53.011Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33404 vulnerability.

Vendors Products
Pi-hole
  • Web
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33404.

URL Resource
https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact