CVE-2026-33404 LOW

CVE-2026-33404: Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard

Vendor Pi-Hole

Product web

Weakness CWE-79 · XSS

Published April 6, 2026

Last update April 6, 2026

View on NVD All CVEs

CVSS base score

3.4/10

Attack vector Local

Attack complexity Low

Privileges required High

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.

Key dates

02Disclosure timeline

April 6, 2026 CVE published

April 6, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-33404 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2026-33404: Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard

01Description

02Disclosure timeline

03References

04Related CVE