CVE-2026-33405— Pi-hole has a Stored HTML Injection in queries.js
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33405
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Pi-hole has a Stored HTML Injection in queries.js
Source: NVD (National Vulnerability Database)
Vulnerability Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Pi-hole Web Interface 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Pi-hole Web Interface是Pi-hole开源的一个仪表板Web界面。 Pi-hole Web Interface 6.0至6.5之前版本存在跨站脚本漏洞,该漏洞源于queries.js中formatInfo函数渲染数据时未转义,可能导致存储型HTML注入。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-33405
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33405
请登录查看更多情报信息。
- Stored HTML Injection in queries.js · Advisory · pi-hole/web · GitHubx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-33405
Same Patch Batch · pi-hole · 2026-04-06 · 5 CVEs total
| CVE-2026-33727 | 6.4 MEDIUM | Pi-hole has a Local Privilege Escalation (post-compromise, pihole -> root). |
| CVE-2026-33403 | 6.1 MEDIUM | Pi-hole has a Reflected XSS / HTML injection in taillog.js |
| CVE-2026-33406 | 5.4 MEDIUM | Pi-hole has a Stored HTML attribute injection |
| CVE-2026-33404 | 3.4 LOW | Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard |
IV. Related Vulnerabilities
Same product: web
- CVE-2026-33406
Pi-hole has a Stored HTML attribute injection - CVE-2026-33404
Pi-hole has a Stored XSS / HTML injection in the Network pag - CVE-2026-33403
Pi-hole has a Reflected XSS / HTML injection in taillog.js - CVE-2026-33765
Pi-hole Web Interface has a Command Injection Vulnerability - CVE-2026-26953
Pi-hole Web Interface has Stored HTML Injection via X-Forwar
Same vendor: pi-hole
- CVE-2026-39849
Pi-hole FTL remote code execution via newline injection in d - CVE-2026-35521
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp - CVE-2026-35520
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp - CVE-2026-35519
Pi-hole FTL affected by Remote Code Execution (RCE) via dns. - CVE-2026-35518
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2026-33405
No comments yet