CVE-2021-29448 HIGH

CVE-2021-29448: Stored DOM XSS in Pi-hole Admin Web Interface

Vendor Pi-Hole

Product AdminLTE

Weakness CWE-79 · XSS

Published April 15, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

7.6/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

What the vulnerability does

01Description

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details.

Key dates

02Disclosure timeline

April 15, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-29448 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-57887 WordPress Jobmonster Theme <= 4.8.0 - Cross Site Scripting (XSS) Vulnerability CVE-2024-10057 RSS Feed Widget <= 2.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via rfw-youtube-videos Shortcode CVE-2025-15266 GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation <= 1.1.8 - Unauthenticated Stored Cross-Site Scripting CVE-2026-25599 Missing authentication and clear‑text data transmission affecting Orca heat pumps CVE-2025-53996 WordPress JetSearch plugin <= 3.5.10.1 - Cross Site Scripting (XSS) Vulnerability