CVE-2026-33406
Received Received - Intake
HTML Attribute Injection in Pi-hole Admin Interface via Malicious Backup

Publication date: 2026-04-06

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33406
EUVD
EUVD-2026-19285
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pi-hole web_interface From 6.0 (inc) to 6.4.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-33406 allows authenticated Pi-hole administrators to inject arbitrary HTML attributes into configuration input fields, enabling UI redressing attacks that can manipulate the user interface but do not allow JavaScript execution or direct data exfiltration.

The impact is limited to low confidentiality and integrity loss, with no availability impact. Since the vulnerability does not enable direct unauthorized access to sensitive data or system resources, its effect on compliance with standards like GDPR or HIPAA is likely minimal.

However, because it involves potential manipulation of the administrative interface, organizations should consider the risk of UI redressing attacks in their security assessments and ensure proper administrative controls and validation to maintain compliance.

Executive Summary

CVE-2026-33406 is a stored HTML attribute injection vulnerability in the Pi-hole Admin Interface versions 6.0 through 6.4.1. It occurs because configuration values from the /api/config endpoint are inserted directly into HTML value="" attributes without proper escaping in the settings-advanced.js script. This allows an attacker to inject double quotes that break out of the attribute context and add arbitrary HTML attributes such as style or placeholder.

Although JavaScript execution is blocked by the server's Content Security Policy (CSP), which restricts scripts to 'script-src 'self'' and blocks inline event handlers, the injected attributes can manipulate element styling and form behavior, enabling UI redressing attacks.

The primary attack vector is importing a malicious teleporter backup file that bypasses per-field server-side validation, allowing injection of these attributes. An alternative method is sending a malicious PATCH request to the /api/config endpoint. The vulnerability requires authenticated Pi-hole administrator privileges and user interaction to import the malicious configuration.

Impact Analysis

This vulnerability can impact you by allowing an attacker with Pi-hole administrator access to inject arbitrary HTML attributes into configuration input fields, which can alter the appearance and behavior of the web interface.

While JavaScript execution is blocked, the injected attributes can be used for UI redressing attacks, such as changing element styling or modifying form submission behavior, potentially misleading users or causing unintended actions.

The impact is limited to low confidentiality and integrity loss, with no impact on availability, since the attack does not allow code execution or system disruption.

Detection Guidance

This vulnerability can be detected by checking if your Pi-hole Web interface version is between 6.0 and before 6.5, as these versions are affected.

To detect exploitation or presence of injected HTML attributes, you can inspect the configuration values in the /api/config endpoint or the settings-advanced.js script for unescaped double quotes or unusual HTML attributes such as style or placeholder injected into input fields.

A practical approach is to export a teleporter backup and examine the pihole.toml configuration file for suspicious entries containing double quotes and injected attributes.

Commands to assist detection might include:

  • Export the teleporter backup via the Pi-hole admin interface or API.
  • Extract and inspect the pihole.toml file for suspicious strings, e.g., using grep:
  • grep -E '"\s*style=|"\s*placeholder=' pihole.toml
  • Check the /api/config endpoint output for unescaped double quotes or injected attributes by sending an authenticated API request, for example using curl:
  • curl -H "Authorization: Bearer <token>" https://<pihole-host>/admin/api.php?config
  • Manually inspect the HTML source of the settings page (/admin/settings/all) for injected attributes in input fields.
Mitigation Strategies

The primary immediate mitigation is to upgrade Pi-hole Web to version 6.5 or later, where this vulnerability is fixed.

Until the upgrade can be performed, avoid importing teleporter backup files from untrusted sources, as this is the main attack vector.

Restrict access to the Pi-hole admin interface to trusted administrators only, since authenticated admin privileges are required to exploit this vulnerability.

Avoid using the direct API PATCH /api/config method with untrusted input to prevent injection.

Monitor and audit configuration changes and teleporter imports for suspicious content.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33406. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart