{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33406", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.170Z", "datePublished": "2026-04-06T14:50:35.670Z", "dateUpdated": "2026-04-06T14:50:35.670Z"}, "containers": {"cna": {"title": "Pi-hole has a Stored HTML attribute injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p"}], "affected": [{"vendor": "pi-hole", "product": "web", "versions": [{"version": ">= 6.0, < 6.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T14:50:35.670Z"}, "descriptions": [{"lang": "en", "value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value=\"\" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5."}], "source": {"advisory": "GHSA-9rfm-c5g6-538p", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value=\"\" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5."}], "id": "CVE-2026-33406", "lastModified": "2026-04-06T15:17:10.627", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T15:17:10.627", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0,6.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "web", "source": "cna", "vendor": "pi-hole"}, "product": "web", "vendor": "pi-hole"}], "analysis": {"en": {"generated_at": "2026-04-06T17:41:42.119773+00:00", "value": {"mitigation_remediation": ["Update Pi\u2011hole to version 6.5 or later, which fixes the injection issue.", "If an upgrade is not possible, avoid importing backups from untrusted sources.", "Verify that the CSP is enforced and no script-src overrides exist.", "Consider disabling the teleporter backup import functionality until a patch is available."], "summary": {"action": "Immediate Patch", "impact": "UI Redressing via Stored HTML Attribute Injection"}, "threat_synthesis": {"affected_systems": "The flaw exists in Pi\u2011hole Admin Interface versions from 6.0 up to, but not including, 6.5. Any installation running those versions and importing configuration backups is susceptible.", "description_and_impact": "Pi\u2011hole\u2019s admin web interface allows configuration values to be stored directly as HTML attribute values without escaping. A value that contains a double quote terminates the attribute, letting an attacker inject arbitrary attribute content. While the server\u2019s CSP blocks inline scripts, the injection can alter element styling, enabling UI redressing attacks that could trick users into interacting with malicious UI elements, potentially leading to credential compromise or further exploitation.", "risk_and_exploitability": "The CVSS score of 5.4 reflects moderate risk, and the vulnerability is not listed in KEV. Exploitation requires control over a backup file; the primary attack vector is an attacker supplying a malicious teleporter backup to a victim. The attack can be carried out locally or via administrative privileges that allow backup import. Because the attack is limited to the UI and cannot execute arbitrary JavaScript, the impact is confined to UI redressing rather than full remote code execution, but it can still be used to facilitate phishing or credential theft."}}}}, "created": "2026-04-06T20:14:20.932452+00:00", "updated": "2026-04-06T21:32:34.705336+00:00", "vendors": ["pi-hole", "pi-hole$PRODUCT$web"]}