Approved changes feed: RSS · Atom

cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorPi Hole (525d0520-023b-5ac7-adae-b0bb743ce667)
ProductWeb Interface (00a114ed-9766-5deb-b857-4bce05d2cd61)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/pi-hole/adminlte purl2cpe 2026-06-01 10:10:57.016062
pkg:github/pi-hole/web purl2cpe 2026-06-01 10:10:57.016064

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-33765 vulnerable 2026-06-08 07:59:10.724535 Pi-hole Web Interface has a Command Injection Vulnerability
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled $_POST['webtheme'] parameter and concatenates it directly into a system command executed via PHP's exec() function. Since the input is neither sanitized nor validated before being passed to the shell, an attacker can append arbitrary system commands to the intended pihole command. Furthermore, because the command is executed with sudo privileges, the injected commands will run with elevated (likely root) privileges. Version 6.0 patches the issue.
Published: 2026-03-27T19:46:57.679Z
Updated: 2026-04-02T13:04:40.898Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33406 vulnerable 2026-06-08 07:59:09.879338 Pi-hole has a Stored HTML attribute injection
MEDIUM (5.4)
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5.
Published: 2026-04-06T14:50:35.670Z
Updated: 2026-04-07T14:08:17.918Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33405 vulnerable 2026-06-08 07:59:09.878929 Pi-hole has a Stored HTML Injection in queries.js
LOW (3.1)
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5.
Published: 2026-04-06T15:23:32.750Z
Updated: 2026-04-06T18:37:49.276Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33404 vulnerable 2026-06-08 07:59:09.878571 Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard
LOW (3.4)
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.
Published: 2026-04-06T14:48:45.348Z
Updated: 2026-04-06T18:39:53.011Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33403 vulnerable 2026-06-08 07:59:09.877964 Pi-hole has a Reflected XSS / HTML injection in taillog.js
MEDIUM (6.1)
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <form> elements can exfiltrate credentials to an external origin. This vulnerability is fixed in 6.5.
Published: 2026-04-06T14:48:05.132Z
Updated: 2026-04-06T15:05:23.490Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-26953 vulnerable 2026-06-08 07:53:21.770740 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-26952 vulnerable 2026-06-08 07:53:21.770191 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-59151 vulnerable 2026-06-08 07:35:20.058953 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-53533 vulnerable 2026-06-08 07:31:14.676978 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-34087 vulnerable 2026-06-08 07:19:02.165049 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-32785 vulnerable 2026-06-08 07:19:00.849856 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-23614 vulnerable 2026-06-08 05:56:03.779566 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-41175 vulnerable 2026-06-08 05:35:19.905129 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-3812 vulnerable 2026-06-08 05:33:54.364935 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-3811 vulnerable 2026-06-08 05:33:54.364431 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-3706 vulnerable 2026-06-08 05:33:53.469258 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-29448 vulnerable 2026-06-08 05:31:26.383477 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.