Low severity3.4NVD Advisory· Published Apr 6, 2026· Updated Apr 14, 2026
CVE-2026-33404
CVE-2026-33404
Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
References
1- github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9vnvdThird Party Advisory
News mentions
0No linked articles in our index yet.