This page lists publicly disclosed CVE vulnerabilities affecting pi-hole web_interface (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-33405 | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), | [email protected] | 3.1 | 0.02% | 2026-04-06 | 2026-04-09 |
| CVE-2026-33406 | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes ca | [email protected] | 5.4 | 0.04% | 2026-04-06 | 2026-04-14 |
| CVE-2026-33404 | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields | [email protected] | 3.4 | 0.02% | 2026-04-06 | 2026-04-14 |
| CVE-2026-33403 | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <f | [email protected] | 6.1 | 0.06% | 2026-04-06 | 2026-04-10 |
| CVE-2026-33765 | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled $_POST['webtheme'] parameter and concatenates it directly into a system command executed via PHP's exec() function. Since the input is neither sanitized nor validated before being passed to the shell, an attacker can append arbi | [email protected] | 8.9 | 0.24% | 2026-03-27 | 2026-04-07 |
| CVE-2026-26953 | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentials to inject arbitrary HTML code that will be rendered in the browser of any administrator who visits the active sessions page. The rowCallback function contains the value data.x_forwarded_for, which is | [email protected] | 5.4 | 0.06% | 2026-02-19 | 2026-03-12 |
| CVE-2026-26952 | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through the local DNS records configuration page, which allows an authenticated administrator to inject code that is stored in the Pi-hole configuration and rendered every time the DNS records table is viewed. The populateDataTable() function contains a data variable with the full DNS record value exactly as | [email protected] | 5.4 | 0.04% | 2026-02-19 | 2026-03-12 |
| CVE-2025-59151 | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface before 6.3 is vulnerable to Carriage Return Line Feed (CRLF) injection. When a request is made to a file ending with the .lp extension, the application performs a redirect without properly sanitizing the input. An attacker can inject carriage return and line feed characters (%0d%0a) to manipulate both the headers and the content of the | [email protected] | 8.2 | 0.06% | 2025-10-27 | 2025-12-18 |
| CVE-2025-53533 | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions 6.2.1 and earlier are vulnerable to reflected cross-site scripting (XSS) via a malformed URL path. The 404 error page includes the requested path in the class attribute of the body tag without proper sanitization or escaping. An attacker can craft a URL containing an onload attribute that will execute arbitrary JavaScript code | [email protected] | 5.1 | 0.48% | 2025-10-27 | 2025-12-18 |
| CVE-2025-32785 | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions prior to 6.3 are vulnerable to cross-site scripting (XSS) via the Address field in the Subscribed Lists group management section. An authenticated user can inject malicious JavaScript by adding a payload to the Address field when creating or editing a list entry. The vulnerability is triggered when another user navigates to the | [email protected] | 2.0 | 0.02% | 2025-10-27 | 2025-12-18 |
| CVE-2023-23614 | Pi-hole®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value makes it possible for an attacker to "pass the hash" to login or reuse a theoretically expired "remember me" cookie. It also exposes the hash over the network and stores it unnecessarily in the browser. The cookie itself is set | [email protected] | 8.8 | 0.22% | 2023-01-26 | 2024-11-21 |
| CVE-2021-41175 | Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8. | [email protected] | 7.3 | 0.40% | 2021-10-26 | 2024-11-21 |
| CVE-2021-3812 | adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | [email protected] | 6.1 | 0.18% | 2021-09-17 | 2024-11-21 |
| CVE-2021-3811 | adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | [email protected] | 6.1 | 0.18% | 2021-09-17 | 2024-11-21 |
| CVE-2021-3706 | adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag | [email protected] | 7.5 | 0.25% | 2021-09-15 | 2024-11-21 |
| CVE-2021-29448 | Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details. | [email protected] | 7.6 | 0.30% | 2021-04-15 | 2024-11-21 |