Stored HTML Injection in Pi-hole Admin Interface Affects Network-level Ad Blocker
CVE-2026-33405

3.1LOW

Key Information:

Vendor: Pi-hole
Status: Web
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-33405?

The Pi-hole Admin Interface, part of the Pi-hole project for network-level ad blocking, is susceptible to a stored HTML injection vulnerability. This issue arises due to improper handling of user input in the formatInfo() function located in queries.js. When a user expands a query row in the Query Log, data such as 'data.upstream', 'data.client.ip', and 'data.ede.text' is rendered directly into HTML without the necessary escaping. This oversight permits stored HTML payloads within the interface. Though JavaScript execution is restricted by the server's Content Security Policy, the improper rendering poses security risks, notably affecting user experience and system reliability. The vulnerability has been addressed in version 6.5 of the product.

Affected Version(s)

web >= 6.0, < 6.5

References

https://github.com/pi-hole/web/security/advisories/GHSA-j...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 19, 2026

CVE-2026-33405 Data

JSON