CVE-2026-33406: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pi-hole web
CVE-2026-33406 is a medium severity cross-site scripting (XSS) vulnerability in the Pi-hole Admin Interface web application versions 6. 0 up to but not including 6. 5. The issue arises because configuration values retrieved from the /api/config endpoint are inserted directly into HTML attribute values without proper escaping, allowing HTML attribute injection. Although JavaScript execution is blocked by the server's Content Security Policy (CSP), injected attributes can manipulate element styling, enabling UI redressing attacks. The primary attack vector is through importing a malicious teleporter backup, which bypasses server-side validation. This vulnerability is fixed in Pi-hole version 6. 5.
AI Analysis
Technical Summary
Pi-hole Admin Interface versions 6.0 to before 6.5 improperly neutralize input when generating web pages by placing configuration values directly into HTML value attributes without escaping. This allows an attacker to inject malicious HTML attributes by including double quotes in config values, breaking out of the attribute context. While the server's CSP prevents execution of injected JavaScript, the injected attributes can alter element styling, potentially enabling UI redressing attacks. The vulnerability can be exploited by importing a crafted teleporter backup that circumvents per-field validation. The issue is resolved in version 6.5 of Pi-hole.
Potential Impact
The vulnerability allows an attacker to inject arbitrary HTML attributes into the Pi-hole web interface, which can be used to manipulate the user interface appearance (UI redressing). Although direct JavaScript execution is blocked by the server's CSP, the altered styling could mislead users or facilitate phishing-like attacks within the interface. The attack requires user interaction to import a malicious teleporter backup. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability is fixed in Pi-hole version 6.5. Users should upgrade to version 6.5 or later to remediate this issue. Since no official patch link or advisory is provided, users should verify the upgrade from the official Pi-hole release notes or website. Until upgrading, avoid importing teleporter backups from untrusted sources to reduce risk.
CVE-2026-33406: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pi-hole web
Description
CVE-2026-33406 is a medium severity cross-site scripting (XSS) vulnerability in the Pi-hole Admin Interface web application versions 6. 0 up to but not including 6. 5. The issue arises because configuration values retrieved from the /api/config endpoint are inserted directly into HTML attribute values without proper escaping, allowing HTML attribute injection. Although JavaScript execution is blocked by the server's Content Security Policy (CSP), injected attributes can manipulate element styling, enabling UI redressing attacks. The primary attack vector is through importing a malicious teleporter backup, which bypasses server-side validation. This vulnerability is fixed in Pi-hole version 6. 5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Pi-hole Admin Interface versions 6.0 to before 6.5 improperly neutralize input when generating web pages by placing configuration values directly into HTML value attributes without escaping. This allows an attacker to inject malicious HTML attributes by including double quotes in config values, breaking out of the attribute context. While the server's CSP prevents execution of injected JavaScript, the injected attributes can alter element styling, potentially enabling UI redressing attacks. The vulnerability can be exploited by importing a crafted teleporter backup that circumvents per-field validation. The issue is resolved in version 6.5 of Pi-hole.
Potential Impact
The vulnerability allows an attacker to inject arbitrary HTML attributes into the Pi-hole web interface, which can be used to manipulate the user interface appearance (UI redressing). Although direct JavaScript execution is blocked by the server's CSP, the altered styling could mislead users or facilitate phishing-like attacks within the interface. The attack requires user interaction to import a malicious teleporter backup. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability is fixed in Pi-hole version 6.5. Users should upgrade to version 6.5 or later to remediate this issue. Since no official patch link or advisory is provided, users should verify the upgrade from the official Pi-hole release notes or website. Until upgrading, avoid importing teleporter backups from untrusted sources to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-19T17:02:34.170Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d3ce180a160ebd92c09cd1
Added to database: 4/6/2026, 3:15:36 PM
Last enriched: 4/6/2026, 3:30:55 PM
Last updated: 4/6/2026, 11:02:58 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.