VYPR

Web Interface

by Pi Hole

Source repositories

CVEs (6)

  • CVE-2026-33765CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.01

    Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled…

  • CVE-2026-33403MedApr 6, 2026
    risk 0.40cvss 6.1epss 0.00

    Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the…

  • CVE-2026-33406MedApr 6, 2026
    risk 0.35cvss 5.4epss 0.00

    Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in…

  • CVE-2026-33404LowApr 6, 2026
    risk 0.22cvss 3.4epss 0.00

    Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page)…

  • CVE-2026-33405LowApr 6, 2026
    risk 0.20cvss 3.1epss 0.00

    Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when…

  • CVE-2021-32793Aug 4, 2021
    risk 0.00cvss epss 0.01

    Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the function to add domains to blocklists or allowlists is vulnerable to a stored cross-site-scripting vulnerability.…