XSS Vulnerability in Pi-hole Admin Interface by Pi-hole
CVE-2025-32785

2LOW

Key Information:

Vendor: Pi-hole
Status: Web
Vendor: CVE Published:; 27 October 2025

What is CVE-2025-32785?

The Pi-hole Admin Interface, essential for managing the Pi-hole ad-blocking application, is susceptible to a cross-site scripting (XSS) vulnerability. This issue arises in versions prior to 6.3, specifically in the Address field within the Subscribed Lists group management. An authenticated user can exploit this weakness by injecting malicious JavaScript through a crafted payload while creating or editing list entries. When another user accesses the Tools section and triggers a gravity database update, the inserted JavaScript executes, due to inadequate input sanitization in the Address field. This vulnerability emphasizes the critical importance of implementing robust validation measures to prevent unsanitized input from potentially compromising user accounts. Users are advised to update to version 6.3 or later to remediate this security risk.

Affected Version(s)

web < 6.3

References

https://github.com/pi-hole/web/security/advisories/GHSA-7...

x_refsource_CONFIRM

CVSS V4

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 27, 2025
Vulnerability Reserved
Apr 10, 2025

CVE-2025-32785 Data

JSON