Web Interface Vulnerability in Pi-hole Admin Interface by Pi-hole
CVE-2026-33404

3.4LOW

Key Information:

Vendor: Pi-hole
Status: Web
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-33404?

The Pi-hole Admin Interface, used for managing the Pi-hole application, has a vulnerability that allows client hostnames and IP addresses from the FTL database to be rendered into the DOM without proper escaping in specific JavaScript files. Although upstream validation in dnsmasq and FTL mitigates the risk by blocking HTML characters through normal DHCP/DNS paths, the absence of output escaping in the web UI creates a potential injection risk. This inconsistency with other safely rendered fields necessitates a security update, which is provided in version 6.5.

Affected Version(s)

web >= 6.0, < 6.5

References

https://github.com/pi-hole/web/security/advisories/GHSA-p...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.4

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 19, 2026

CVE-2026-33404 Data

JSON