What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade Pi-hole to version 6.5 or later, where this vulnerability has been fixed by adding proper output escaping in the web interface.

Since exploitation requires local filesystem access with high privileges, ensure that access to the Pi-hole FTL database and DHCP lease files is restricted and secured.

Avoid importing potentially malicious FTL databases using the Pi-hole teleporter tool, as it does not import the FTL database but other vectors should be carefully controlled.

Regularly audit the FTL database for suspicious hostnames or IP addresses containing HTML or script tags and remove any malicious entries found.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

CVE-2026-33404 is a stored Cross-Site Scripting (XSS) and HTML injection vulnerability in the Pi-hole Admin Interface, specifically affecting the Network page and Dashboard components in versions 6.0 through 6.4.1.

The vulnerability arises because client hostnames and IP addresses retrieved from the FTL database are inserted into the web interface's DOM without proper HTML escaping. This allows malicious HTML content to be interpreted and rendered by the browser.

While upstream components like dnsmasq and Pi-hole's FTL daemon validate hostnames to block HTML characters, the web UI itself does not escape these fields consistently, leading to this injection risk.

Exploitation requires local filesystem access to insert malicious hostnames directly into the FTL database or DHCP lease file, bypassing upstream validation.

This vulnerability was fixed in Pi-hole version 6.5 by adding proper output escaping in the affected UI components.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can impact authenticated Pi-hole administrators by allowing stored XSS or HTML injection attacks within the admin interface.

An attacker with local filesystem access and high privileges could insert malicious hostnames that execute arbitrary HTML or scripts when viewed by an administrator.

Potential impacts include manipulation of the user interface or execution of malicious scripts in the context of the admin interface.

However, remote exploitation is not possible via normal DHCP/DNS mechanisms due to upstream hostname validation.

The overall severity is rated low with a CVSS v3.1 base score of 3.4.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if your Pi-hole installation is running a vulnerable version (6.0 to before 6.5) and by inspecting the Pi-hole FTL database for injected hostnames or IP addresses containing HTML or script tags.

Since exploitation requires local filesystem access to the pihole-FTL.db database, you can query this SQLite database directly to look for suspicious entries.

A suggested command to detect injected hostnames is to query the FTL database using sqlite3, for example:

• sqlite3 /etc/pihole/pihole-FTL.db "SELECT DISTINCT hostname FROM network WHERE hostname LIKE '%<%' OR hostname LIKE '%>%' OR hostname LIKE '%script%' OR hostname LIKE '%html%';"

This command searches for hostnames containing HTML special characters or script tags that could indicate injection.

Additionally, verifying the Pi-hole version with the command `pihole -v` can help determine if the system is patched (version 6.5 or later).

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact or implications of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0