CVE-2026-33403 MEDIUM

CVE-2026-33403: Pi-hole has a Reflected XSS / HTML injection in taillog.js

Vendor Pi-Hole
Product web
Weakness CWE-79 · XSS
Published April 6, 2026
Last update April 6, 2026
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <form> elements can exfiltrate credentials to an external origin. This vulnerability is fixed in 6.5.

Key dates

02Disclosure timeline

April 6, 2026 CVE published
April 6, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-62210 Dynamics 365 Field Service (online) Spoofing Vulnerability CVE-2025-7644 Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery <= 1.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-59903 Stored Cross-Site Scripting (XSS) in Kubysoft CVE-2021-24245 Stop Spammers < 2021.9 - Reflected Cross-Site Scripting (XSS) CVE-2024-13394 ViewMedica 9 <= 1.4.18 - Authenticated (Contributor+) Stored Cross-Site Scripting