CVE-2025-53533 PoC — Pi-hole Admin Interface vulnerable to cross-site scripting via malformed URL path on 404 error page

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-53533.yaml

Associated Vulnerability

Title:Pi-hole Admin Interface vulnerable to cross-site scripting via malformed URL path on 404 error page (CVE-2025-53533)
Description:Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions 6.2.1 and earlier are vulnerable to reflected cross-site scripting (XSS) via a malformed URL path. The 404 error page includes the requested path in the class attribute of the body tag without proper sanitization or escaping. An attacker can craft a URL containing an onload attribute that will execute arbitrary JavaScript code in the browser when a victim visits the malicious link. If an attacker sends a crafted pi-hole link to a victim and the victim visits it, attacker-controlled JavaScript code is executed in the browser of the victim. This has been patched in version 6.3.

Description

Pi-hole Admin Interface <= 6.2.1 contains a reflected XSS vulnerability on the 404 error page. The URL path is reflected unsanitized into the `class` attribute of the `body` tag, allowing attribute injection via a crafted URL to execute arbitrary JavaScript in victim browsers.

File Snapshot


 id: CVE-2025-53533

info:
  name: Pi-hole Reflected XSS in 404-Error Page
  author: DhiyaneshDk
  se

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!