CVE-2026-33405
Received Received - Intake
Stored HTML Injection in Pi-hole Admin Interface Query Log

Publication date: 2026-04-06

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33405
EUVD
EUVD-2026-19283
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pi-hole web_interface From 6.0 (inc) to 6.4.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33405 is a stored HTML injection vulnerability in the Pi-hole Admin Interface, specifically in the queries.js file affecting versions 6.0 through 6.4.1. The vulnerability occurs because the formatInfo() function renders certain fieldsβ€”data.upstream, data.client.ip, and data.ede.textβ€”directly into HTML without proper escaping when a user expands a query row in the Query Log detail view.

While JavaScript execution is blocked by the server's Content Security Policy (CSP), the injected HTML can still cause UI defacement or phishing risks by injecting arbitrary HTML forms or content. The vulnerability requires authenticated administrator access and either local filesystem access or control over an upstream DNS server to exploit.

Impact Analysis

This vulnerability can impact you by allowing an attacker with authenticated administrator access to cause UI defacement or phishing attacks within the Pi-hole Admin Interface. Although JavaScript execution is blocked by the CSP, malicious HTML can still be injected, potentially misleading administrators through fake forms or altered interface elements.

Exploitation requires either control over an upstream DNS server to inject malicious Extended DNS Error (EDE) text or interception of API responses, making the attack vector local and requiring high privileges.

Detection Guidance

Detection of this vulnerability involves verifying the Pi-hole version and inspecting the behavior of the Query Log detail view in the Pi-hole Admin Interface.

Specifically, check if your Pi-hole version is between 6.0 and before 6.5, as these versions are affected.

Since exploitation requires authenticated administrator access and potentially control over upstream DNS responses, detection can include reviewing query logs for unusual HTML content in the expanded query rows.

No explicit commands are provided in the resources, but general steps include:

  • Check Pi-hole version: `pihole -v`
  • Manually inspect the Query Log detail view in the Admin Interface for any unexpected HTML rendering or UI defacement.
  • Review upstream DNS server responses or logs for suspicious Extended DNS Error (EDE) text that might contain HTML.
Mitigation Strategies

The primary mitigation step is to upgrade Pi-hole to version 6.5 or later, where this vulnerability has been fixed.

Since exploitation requires authenticated administrator access, ensure that access to the Pi-hole Admin Interface is tightly controlled and limited to trusted users.

Additionally, restrict or monitor control over upstream DNS servers to prevent injection of malicious Extended DNS Error (EDE) text.

The server's Content Security Policy (CSP) already mitigates JavaScript execution risks, but it does not prevent UI defacement or phishing via injected HTML forms, so vigilance is necessary.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33405. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart