Low severity3.4NVD Advisory· Published Apr 6, 2026· Updated Apr 14, 2026

CVE-2026-33404

Description

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.

Affected products

Pi Hole/Web Interface
cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*
Range: >=6.0,<=6.4.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9vnvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.221
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000