Reflected DOM-based XSS in Pi-hole Admin Interface Affects Pi-hole
CVE-2026-33403

6.1MEDIUM

Key Information:

Vendor: Pi-hole
Status: Web
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-33403?

A reflected DOM-based cross-site scripting (XSS) vulnerability exists in the Pi-hole Admin Interface, which allows unauthenticated attackers to inject arbitrary HTML via a crafted URL. This issue arises from the taillog.js file, where user-supplied data is directly interpolated into an innerHTML assignment without proper escaping. Additionally, the lack of a form-action directive in the Content-Security-Policy can lead to the creation of malicious forms that may exfiltrate user credentials to unauthorized external origins. This vulnerability affects versions of the Pi-hole Admin Interface from 6.0 to before 6.5 and has been addressed in the latest release.

Affected Version(s)

web >= 6.0, < 6.5

References

https://github.com/pi-hole/web/security/advisories/GHSA-7...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 19, 2026

CVE-2026-33403 Data

JSON