CVE-2026-33406
HTML Attribute Injection in Pi-hole Admin Interface via Malicious Backup
Publication date: 2026-04-06
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pi-hole | web_interface | From 6.0 (inc) to 6.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33406 is a stored HTML attribute injection vulnerability in the Pi-hole Admin Interface versions 6.0 through 6.4.1. It occurs because configuration values from the /api/config endpoint are inserted directly into HTML value="" attributes without proper escaping in the settings-advanced.js script. This allows an attacker to inject double quotes that break out of the attribute context and add arbitrary HTML attributes such as style or placeholder.
Although JavaScript execution is blocked by the server's Content Security Policy (CSP), which restricts scripts to 'script-src 'self'' and blocks inline event handlers, the injected attributes can manipulate element styling and form behavior, enabling UI redressing attacks.
The primary attack vector is importing a malicious teleporter backup file that bypasses per-field server-side validation, allowing injection of these attributes. An alternative method is sending a malicious PATCH request to the /api/config endpoint. The vulnerability requires authenticated Pi-hole administrator privileges and user interaction to import the malicious configuration.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with Pi-hole administrator access to inject arbitrary HTML attributes into configuration input fields, which can alter the appearance and behavior of the web interface.
While JavaScript execution is blocked, the injected attributes can be used for UI redressing attacks, such as changing element styling or modifying form submission behavior, potentially misleading users or causing unintended actions.
The impact is limited to low confidentiality and integrity loss, with no impact on availability, since the attack does not allow code execution or system disruption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Pi-hole Web interface version is between 6.0 and before 6.5, as these versions are affected.
To detect exploitation or presence of injected HTML attributes, you can inspect the configuration values in the /api/config endpoint or the settings-advanced.js script for unescaped double quotes or unusual HTML attributes such as style or placeholder injected into input fields.
A practical approach is to export a teleporter backup and examine the pihole.toml configuration file for suspicious entries containing double quotes and injected attributes.
Commands to assist detection might include:
- Export the teleporter backup via the Pi-hole admin interface or API.
- Extract and inspect the pihole.toml file for suspicious strings, e.g., using grep:
- grep -E '"\s*style=|"\s*placeholder=' pihole.toml
- Check the /api/config endpoint output for unescaped double quotes or injected attributes by sending an authenticated API request, for example using curl:
- curl -H "Authorization: Bearer <token>" https://<pihole-host>/admin/api.php?config
- Manually inspect the HTML source of the settings page (/admin/settings/all) for injected attributes in input fields.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-33406 allows authenticated Pi-hole administrators to inject arbitrary HTML attributes into configuration input fields, enabling UI redressing attacks that can manipulate the user interface but do not allow JavaScript execution or direct data exfiltration.
The impact is limited to low confidentiality and integrity loss, with no availability impact. Since the vulnerability does not enable direct unauthorized access to sensitive data or system resources, its effect on compliance with standards like GDPR or HIPAA is likely minimal.
However, because it involves potential manipulation of the administrative interface, organizations should consider the risk of UI redressing attacks in their security assessments and ensure proper administrative controls and validation to maintain compliance.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation is to upgrade Pi-hole Web to version 6.5 or later, where this vulnerability is fixed.
Until the upgrade can be performed, avoid importing teleporter backup files from untrusted sources, as this is the main attack vector.
Restrict access to the Pi-hole admin interface to trusted administrators only, since authenticated admin privileges are required to exploit this vulnerability.
Avoid using the direct API PATCH /api/config method with untrusted input to prevent injection.
Monitor and audit configuration changes and teleporter imports for suspicious content.