{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33405", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.170Z", "datePublished": "2026-04-06T15:23:32.750Z", "dateUpdated": "2026-04-06T18:37:49.276Z"}, "containers": {"cna": {"title": "Pi-hole has a Stored HTML Injection in queries.js", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq"}], "affected": [{"vendor": "pi-hole", "product": "web", "versions": [{"version": ">= 6.0, < 6.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T15:23:32.750Z"}, "descriptions": [{"lang": "en", "value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5."}], "source": {"advisory": "GHSA-jx8x-mj2r-62vq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T18:37:34.520924Z", "id": "CVE-2026-33405", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:37:49.276Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33405", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T18:37:34.520924Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T18:37:43.235Z"}}], "cna": {"title": "Pi-hole has a Stored HTML Injection in queries.js", "source": {"advisory": "GHSA-jx8x-mj2r-62vq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "pi-hole", "product": "web", "versions": [{"status": "affected", "version": ">= 6.0, < 6.5"}]}], "references": [{"url": "https://github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq", "name": "https://github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T15:23:32.750Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33405", "state": "PUBLISHED", "dateUpdated": "2026-04-06T18:37:49.276Z", "dateReserved": "2026-03-19T17:02:34.170Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T15:23:32.750Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F1EA9FF-4B56-41DE-A685-A1B75E6ECEF2", "versionEndIncluding": "6.4.1", "versionStartIncluding": "6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5."}], "id": "CVE-2026-33405", "lastModified": "2026-04-09T18:30:03.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-06T16:16:33.610", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.0,6.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "web", "source": "cna", "vendor": "pi-hole"}, "product": "web", "vendor": "pi-hole"}], "analysis": {"en": {"generated_at": "2026-04-09T19:52:54.351445+00:00", "value": {"mitigation_remediation": ["Update Pi\u2011hole Web Interface to version 6.5 or later, which includes the fix for the HTML injection issue.", "If an upgrade is not immediately possible, modify the formatInfo() function in queries.js to properly escape all HTML output before rendering.", "Periodically review the Query Log view for unexpected content and apply additional sanitization filters if necessary.", "Stay informed of future Pi\u2011hole security advisories to ensure timely patching."], "summary": {"action": "Apply Patch", "impact": "Stored HTML injection in Pi\u2011hole Admin Interface query logs"}, "threat_synthesis": {"affected_systems": "Pi\u2011hole Web Interface versions 6.0 through 6.4 are affected. The issue is fixed in version 6.5 and later.", "description_and_impact": "A stored cross\u2011site scripting vulnerability exists in the Pi\u2011hole Admin Interface. When a user expands a query row, the formatInfo() function renders unescaped data from the upstream, client IP, and ede.text fields into the page. The payload is stored and is displayed when the row is expanded. JavaScript execution is blocked by the server's CSP (script\u2011src 'self'), so direct script execution is precluded. The impact is therefore limited to malicious HTML content being displayed, which could include visual defacement or other non\u2011executing malicious content.", "risk_and_exploitability": "The CVSS score of 3.1 indicates low severity. The EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the KEV catalog. The attack vector is inferred to require an attacker who can inject arbitrary data into the query logs, such as via upstream traffic or client IP, before a user expands the row. Because the content is stored and the CSP blocks script execution, the risk is moderate and exploitation is unlikely in typical deployments, but the presence of unsanitized HTML could still affect the UI experience."}}}}, "created": "2026-04-06T20:14:05.678482+00:00", "updated": "2026-04-10T09:45:09.223075+00:00", "vendors": ["pi-hole", "pi-hole$PRODUCT$web"]}