Vulnerability Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions 6.2.1 and earlier are vulnerable to reflected cross-site scripting (XSS) via a malformed URL path. The 404 error page includes the requested path in the class attribute of the body tag without proper sanitization or escaping. An attacker can craft a URL containing an onload attribute that will execute arbitrary JavaScript code in the browser when a victim visits the malicious link. If an attacker sends a crafted pi-hole link to a victim and the victim visits it, attacker-controlled JavaScript code is executed in the browser of the victim. This has been patched in version 6.3.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pi-Hole | Web Interface | < 6.3 |
Related Weaknesses (CWE)
References
- https://github.com/pi-hole/web/security/advisories/GHSA-w8f8-92rx-4f6wExploitVendor Advisory
FAQ
What is CVE-2025-53533?
CVE-2025-53533 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions 6.2.1 and earlier are vulnera...
How severe is CVE-2025-53533?
CVE-2025-53533 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-53533?
Check the references section above for vendor advisories and patch information. Affected products include: Pi-Hole Web Interface.