Executive Summary

CVE-2026-33403 is a reflected DOM-based Cross-Site Scripting (XSS) and HTML injection vulnerability in the Pi-hole Admin Interface, specifically in the taillog.js script affecting versions 6.0 through 6.4.1.

The vulnerability occurs because the file query parameter is inserted directly into an innerHTML assignment without proper escaping when it is not in an allowlist. This allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL.

Although the Content-Security-Policy (CSP) blocks inline JavaScript execution, it lacks the form-action directive, which allows injected <form> elements to submit data to external attacker-controlled origins. This can be exploited to create convincing credential-phishing overlays within the admin interface.

Useful 0 Not Useful 0

Impact Analysis

An attacker can exploit this vulnerability by sending a crafted malicious URL to an authenticated Pi-hole administrator. If the administrator clicks the link while logged in, the attacker can inject arbitrary HTML into the admin interface.

This can lead to credential theft through phishing forms embedded in the interface, allowing the attacker to steal the admin password.

With stolen credentials, the attacker can make unauthorized DNS configuration changes, potentially redirecting network traffic or disrupting network operations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your Pi-hole installation is running a vulnerable version between 6.0 and before 6.5, and by testing if the taillog.js file improperly handles the file query parameter.

One practical method is to attempt accessing the Pi-hole admin interface with a crafted URL containing a file parameter not in the allowlist (e.g., ?file=malicious). If the interface reflects this parameter as unescaped HTML, the vulnerability is present.

You can also verify the Pi-hole version by running the following command on the Pi-hole server:

• pihole -v

To detect suspicious HTTP requests or attempts to exploit this vulnerability on your network, you can monitor web server logs for unusual URLs containing the file parameter with unexpected values.

For example, using grep on the Pi-hole web server logs:

• grep 'file=' /var/log/lighttpd/access.log

If you see requests with file parameters outside the allowed list (dnsmasq, ftl, webserver), it may indicate attempts to exploit this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade Pi-hole to version 6.5 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, you should restrict access to the Pi-hole admin interface to trusted networks only, preventing unauthenticated attackers from reaching the vulnerable interface.

Additionally, monitor for suspicious URLs containing unexpected file parameters and educate users not to click on untrusted links that may target the Pi-hole admin interface.

Implementing a Content-Security-Policy with a form-action directive restricting form submissions to trusted origins can also help mitigate credential exfiltration, but this requires modifying the server configuration.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to inject arbitrary HTML into the Pi-hole admin interface, potentially leading to credential theft through phishing attacks. This unauthorized access to administrator credentials could result in unauthorized changes to DNS configurations and exposure of sensitive information.

Such unauthorized access and potential data exfiltration could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and user credentials. The ability to steal administrator credentials and manipulate configurations may lead to violations of confidentiality and integrity requirements mandated by these regulations.

Useful 0 Not Useful 0