CVE-2026-33406— Pi-hole has a Stored HTML attribute injection
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33406
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Pi-hole has a Stored HTML attribute injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Pi-Hole Adminlte 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Pi-Hole Adminlte是一个控制面板。用于统计更多数据。 Pi-Hole Adminlte 6.0至6.5之前版本存在跨站脚本漏洞,该漏洞源于配置值直接放入HTML属性未转义,可能导致HTML属性注入。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-33406
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33406
请登录查看更多情报信息。
Same Patch Batch · pi-hole · 2026-04-06 · 5 CVEs total
| CVE-2026-33727 | 6.4 MEDIUM | Pi-hole has a Local Privilege Escalation (post-compromise, pihole -> root). |
| CVE-2026-33403 | 6.1 MEDIUM | Pi-hole has a Reflected XSS / HTML injection in taillog.js |
| CVE-2026-33404 | 3.4 LOW | Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard |
| CVE-2026-33405 | 3.1 LOW | Pi-hole has a Stored HTML Injection in queries.js |
IV. Related Vulnerabilities
Same product: web
- CVE-2026-33405
Pi-hole has a Stored HTML Injection in queries.js - CVE-2026-33404
Pi-hole has a Stored XSS / HTML injection in the Network pag - CVE-2026-33403
Pi-hole has a Reflected XSS / HTML injection in taillog.js - CVE-2026-33765
Pi-hole Web Interface has a Command Injection Vulnerability - CVE-2026-26953
Pi-hole Web Interface has Stored HTML Injection via X-Forwar
Same vendor: pi-hole
- CVE-2026-39849
Pi-hole FTL remote code execution via newline injection in d - CVE-2026-35521
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp - CVE-2026-35520
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp - CVE-2026-35519
Pi-hole FTL affected by Remote Code Execution (RCE) via dns. - CVE-2026-35518
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2026-33406
No comments yet