Vulnerability Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pi-Hole | Web Interface | >= 6.0, <= 6.4.1 |
Related Weaknesses (CWE)
References
- https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9vThird Party Advisory
FAQ
What is CVE-2026-33404?
CVE-2026-33404 is a vulnerability with a CVSS score of 3.4 (LOW). Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL da...
How severe is CVE-2026-33404?
CVE-2026-33404 has been rated LOW with a CVSS base score of 3.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33404?
Check the references section above for vendor advisories and patch information. Affected products include: Pi-Hole Web Interface.