{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33406", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.170Z", "datePublished": "2026-04-06T14:50:35.670Z", "dateUpdated": "2026-04-07T14:08:17.918Z"}, "containers": {"cna": {"title": "Pi-hole has a Stored HTML attribute injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p"}], "affected": [{"vendor": "pi-hole", "product": "web", "versions": [{"version": ">= 6.0, < 6.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T14:50:35.670Z"}, "descriptions": [{"lang": "en", "value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value=\"\" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5."}], "source": {"advisory": "GHSA-9rfm-c5g6-538p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:06:57.963921Z", "id": "CVE-2026-33406", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:08:17.918Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Pi-hole has a Stored HTML attribute injection", "source": {"advisory": "GHSA-9rfm-c5g6-538p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "pi-hole", "product": "web", "versions": [{"status": "affected", "version": ">= 6.0, < 6.5"}]}], "references": [{"url": "https://github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p", "name": "https://github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value=\"\" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T14:50:35.670Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33406", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T14:06:57.963921Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-07T14:08:13.239Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33406", "state": "PUBLISHED", "dateUpdated": "2026-04-06T14:50:35.670Z", "dateReserved": "2026-03-19T17:02:34.170Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T14:50:35.670Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F1EA9FF-4B56-41DE-A685-A1B75E6ECEF2", "versionEndIncluding": "6.4.1", "versionStartIncluding": "6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value=\"\" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5."}], "id": "CVE-2026-33406", "lastModified": "2026-04-14T02:04:17.300", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-06T15:17:10.627", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0,6.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "web", "source": "cna", "vendor": "pi-hole"}, "product": "web", "vendor": "pi-hole"}], "analysis": {"en": {"generated_at": "2026-04-14T03:52:23.675178+00:00", "value": {"mitigation_remediation": ["Upgrade Pi\u2011hole to version\u202f6.5 or later, which removes the issue.", "Only import backups from trusted sources to avoid malicious configuration values.", "If upgrading is not immediately possible, restrict backup import to administrative accounts or disable the feature."], "summary": {"action": "Patch", "impact": "Attribute injection allows UI manipulation"}, "threat_synthesis": {"affected_systems": "The flaw resides in the Pi\u2011hole web interface component, affecting installations using versions 6.0 through 6.4. The vulnerability stems from the /api/config endpoint and the settings\u2011advanced.js script that processes the returned values. Version 6.5 and later contain the fix.", "description_and_impact": "Pi\u2011hole\u2019s administrative web interface injects configuration values directly into HTML value attributes without escaping. A double quote in any config value breaks out of the attribute context, enabling arbitrary attribute injection. Because the server\u2019s content\u2011security\u2011policy restricts JavaScript execution, the attack is limited to altering element styling for UI redressing, but it does not lead to code execution or data exfiltration.", "risk_and_exploitability": "The CVSS base score is 5.4, indicating a moderate severity risk. The EPSS score is below 1\u202f%, suggesting that wide\u2011scale exploitation is unlikely. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker would need to supply a malicious teleporter backup file, which is imported through the web interface and bypasses per\u2011field validation. Therefore the attack vector is user\u2011initiated import, and the impact is restricted to UI manipulation, without compromising confidentiality or integrity."}}}}, "created": "2026-04-06T20:14:20.932452+00:00", "updated": "2026-04-14T16:41:17.190454+00:00", "vendors": ["pi-hole", "pi-hole$PRODUCT$web"]}