HTML Attribute Injection in Pi-hole Admin Interface for Pi-hole
CVE-2026-33406

5.4MEDIUM

Key Information:

Vendor: Pi-hole
Status: Web
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-33406?

The Pi-hole Admin Interface, which facilitates the management of the Pi-hole network-level ad and internet tracker blocking application, is susceptible to HTML attribute injection. This vulnerability arises from configuration values accessed via the /api/config endpoint that are directly inserted into HTML value attributes without proper escaping in settings-advanced.js. Malicious actors can exploit this by introducing a double quote into any config value, causing a break from the attribute context. Though the server's Content Security Policy restricts JavaScript execution, the injected attributes can still modify element styling, leading to UI redressing. The primary attack vector includes importing a compromised teleporter backup that circumvents standard server-side validation for individual fields. The vulnerability is addressed in version 6.5.

Affected Version(s)

web >= 6.0, < 6.5

References

https://github.com/pi-hole/web/security/advisories/GHSA-9...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 19, 2026

CVE-2026-33406 Data

JSON