CVE-2025-32785 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the Pi-hole Admin Interface web application versions prior to 6.3. Pi-hole is widely used as a network-level ad and tracker blocker. The vulnerability arises from improper neutralization of input in the Address field within the Subscribed Lists group management section. An authenticated user can inject malicious JavaScript payloads by entering specially crafted input into this field when creating or editing list entries. The injected script is executed when another user navigates to the Tools section and initiates a gravity database update, which processes the stored Address field data without proper sanitization. This flaw allows attackers to execute arbitrary scripts in the context of the victim’s browser session, potentially leading to session hijacking, privilege escalation, or other malicious actions. The vulnerability requires the attacker to have authenticated access to the admin interface and some user interaction (visiting the Tools section and performing an update). The CVSS 4.0 score is 2.0 (low severity), reflecting the limited impact and exploitation complexity. No public exploits are known, and the issue has been addressed in Pi-hole version 6.3 by implementing proper input validation and sanitization for the Address field.

For European organizations deploying Pi-hole as part of their network security infrastructure, this vulnerability could enable an authenticated insider or compromised user account to execute malicious scripts within the admin interface. This may lead to unauthorized actions such as session hijacking, manipulation of Pi-hole configurations, or lateral movement within the network. Although the impact is limited by the requirement for authentication and user interaction, organizations with multiple administrators or shared access to the Pi-hole interface are at higher risk. Exploitation could disrupt network-level ad blocking and tracking protection, potentially exposing users to unwanted content or privacy risks. Additionally, attackers might leverage this XSS to implant persistent scripts for further exploitation or data exfiltration. While no widespread exploitation is reported, the vulnerability could be used in targeted attacks against organizations relying on Pi-hole for network hygiene. The low CVSS score indicates a relatively minor threat, but the risk increases in environments with weak access controls or poor user management.

The primary mitigation is to upgrade all Pi-hole Admin Interface installations to version 6.3 or later, where the vulnerability has been patched with proper input sanitization. Until upgrades can be applied, organizations should restrict access to the Pi-hole admin interface to trusted administrators only, ideally via network segmentation or VPN access. Implement strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of unauthorized access. Regularly audit user accounts and permissions to ensure only authorized personnel can modify subscribed lists. Educate administrators about the risks of injecting untrusted input and the importance of cautious interaction with the admin interface. Monitor logs for unusual activity related to the Tools section or gravity database updates. Consider deploying web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the Pi-hole interface. Finally, maintain an up-to-date inventory of Pi-hole deployments to ensure timely patch management.