{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33403", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.170Z", "datePublished": "2026-04-06T14:48:05.132Z", "dateUpdated": "2026-04-06T15:05:23.490Z"}, "containers": {"cna": {"title": "Pi-hole has a Reflected XSS / HTML injection in taillog.js", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59"}], "affected": [{"vendor": "pi-hole", "product": "web", "versions": [{"version": ">= 6.0, < 6.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T14:48:05.132Z"}, "descriptions": [{"lang": "en", "value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <form> elements can exfiltrate credentials to an external origin. This vulnerability is fixed in 6.5."}], "source": {"advisory": "GHSA-7xqw-r9pr-qv59", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:05:19.739883Z", "id": "CVE-2026-33403", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:05:23.490Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33403", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:05:19.739883Z"}}}], "references": [{"url": "https://github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:05:14.834Z"}}], "cna": {"title": "Pi-hole has a Reflected XSS / HTML injection in taillog.js", "source": {"advisory": "GHSA-7xqw-r9pr-qv59", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "pi-hole", "product": "web", "versions": [{"status": "affected", "version": ">= 6.0, < 6.5"}]}], "references": [{"url": "https://github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59", "name": "https://github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <form> elements can exfiltrate credentials to an external origin. This vulnerability is fixed in 6.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T14:48:05.132Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33403", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:05:23.490Z", "dateReserved": "2026-03-19T17:02:34.170Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T14:48:05.132Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F1EA9FF-4B56-41DE-A685-A1B75E6ECEF2", "versionEndIncluding": "6.4.1", "versionStartIncluding": "6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <form> elements can exfiltrate credentials to an external origin. This vulnerability is fixed in 6.5."}], "id": "CVE-2026-33403", "lastModified": "2026-04-10T17:50:20.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T15:17:10.303", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"], "url": "https://github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.0,6.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "web", "source": "cna", "vendor": "pi-hole"}, "product": "web", "vendor": "pi-hole"}], "analysis": {"en": {"generated_at": "2026-04-10T19:41:57.893624+00:00", "value": {"mitigation_remediation": ["Upgrade Pi\u2011hole to version 6.5 or later and restart the web service.", "Validate that the upgrade is successful by accessing the admin interface. ", "If an immediate upgrade is not feasible, restrict inbound traffic to the Pi\u2011hole admin port using a firewall or VPN, limiting exposure to trusted administrators. ", "As a temporary measure, modify taillog.js to escape the query parameter before inserting it into innerHTML, or add a form\u2011action directive to the Content\u2011Security\u2011Policy header to block external form submissions."], "summary": {"action": "Immediate Patch", "impact": "Reflected DOM\u2011based XSS with potential credential exfiltration"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Pi\u2011hole web interface in all releases from version 6.0 up to, but not including, 6.5. Any installation of Pi\u2011hole using those versions and exposing the admin interface to untrusted networks is exposed.", "description_and_impact": "A reflected DOM\u2011based cross\u2011site scripting flaw exists in the taillog.js file of the Pi\u2011hole admin interface. The script retrieves a query parameter and assigns it directly to an innerHTML property without any escaping or sanitisation. This allows an attacker to inject arbitrary HTML and JavaScript into the page. Because the Content\u2011Security\u2011Policy header is missing a form\u2011action directive, malicious <form> elements can be inserted and used to exfiltrate credentials to an external domain.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of mass exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. An unauthenticated attacker can exploit the flaw simply by crafting a malicious URL and luring a legitimate user to the Pi\u2011hole admin interface, making it a straightforward local or network\u00a0attack vector."}}}}, "created": "2026-04-06T20:14:22.961194+00:00", "updated": "2026-04-13T14:27:46.033962+00:00", "vendors": ["pi-hole", "pi-hole$PRODUCT$web"]}