CVE-2026-33404 Overview
CVE-2026-33404 is a Cross-Site Scripting (XSS) vulnerability in the Pi-hole Admin Interface, a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. The vulnerability affects versions 6.0 to before 6.5, where client hostnames and IP addresses from the FTL database are rendered into the DOM without proper escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips).
While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in version 6.5.
Critical Impact
Attackers with local access and high privileges could potentially inject malicious scripts through client hostnames or IP addresses, leading to session hijacking, credential theft, or unauthorized actions within the Pi-hole admin interface.
Affected Products
- Pi-hole Admin Interface versions 6.0 to before 6.5
- Pi-hole Web Interface (network.js, charts.js, index.js components)
Discovery Timeline
- 2026-04-06 - CVE-2026-33404 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-33404
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Cross-Site Scripting). The root issue lies in the inconsistent output encoding within the Pi-hole web interface. Specifically, the Network page and Dashboard chart tooltips render client hostnames and IP addresses directly into the DOM without sanitization, while other fields in the same codebase are properly escaped.
Although dnsmasq and FTL (Faster Than Light DNS resolver) provide upstream validation that typically blocks HTML characters through standard DHCP and DNS pathways, this does not constitute a complete defense. The web interface itself should implement proper output encoding as a defense-in-depth measure, regardless of upstream protections.
The attack requires local access with high privileges, which limits the attack surface but still presents a risk in shared or compromised network environments where an attacker might have administrative access or be able to manipulate FTL database entries through other means.
Root Cause
The vulnerability stems from improper output encoding in the JavaScript files responsible for rendering the Pi-hole admin interface. The network.js file, which handles the Network page display, and the charts.js/index.js files, which manage Dashboard chart tooltips, both render client data without applying HTML entity escaping.
This creates an inconsistency where some fields in the codebase are properly escaped while others are not, indicating a gap in secure coding practices during development. The assumption that upstream validation is sufficient leaves the application vulnerable if those protections are bypassed or if data is introduced through alternative paths.
Attack Vector
The attack vector for CVE-2026-33404 requires local access with high privileges. An attacker would need to:
- Gain access to manipulate client hostname or IP address data in the FTL database
- Inject malicious JavaScript payloads disguised as hostname or IP address values
- Wait for an administrator to view the Network page or Dashboard chart tooltips
When the targeted admin views the affected pages, the malicious script executes in their browser context, potentially allowing the attacker to steal session cookies, perform actions as the admin, or redirect to malicious sites.
The vulnerability manifests in the DOM rendering functions within network.js and charts.js/index.js. See the Pi-hole security advisory for technical details.
Detection Methods for CVE-2026-33404
Indicators of Compromise
- Unexpected or suspicious client hostnames containing HTML tags or JavaScript code in the Pi-hole admin interface
- Unusual entries in the FTL database with characters such as <, >, script, or encoded equivalents
- Browser developer console errors or warnings related to script execution on the Network or Dashboard pages
Detection Strategies
- Monitor Pi-hole FTL database entries for hostnames or IP addresses containing suspicious characters or script-like patterns
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Review browser console logs for unexpected JavaScript errors or cross-site scripting warnings when viewing Pi-hole admin pages
- Audit network traffic for unusual requests originating from the Pi-hole admin interface to external domains
Monitoring Recommendations
- Enable logging for Pi-hole admin interface access and monitor for unusual patterns or repeated page views
- Configure intrusion detection systems to alert on XSS attack signatures in network traffic to Pi-hole admin interfaces
- Regularly audit FTL database contents for anomalous hostnames or IP address entries
- Deploy endpoint detection solutions to monitor for browser-based script injection attempts
How to Mitigate CVE-2026-33404
Immediate Actions Required
- Upgrade Pi-hole Admin Interface to version 6.5 or later immediately
- Audit existing FTL database entries for suspicious hostnames or IP addresses containing HTML or script content
- Restrict administrative access to the Pi-hole interface to trusted users only
- Implement network segmentation to limit exposure of the Pi-hole admin interface
Patch Information
The vulnerability is fixed in Pi-hole Admin Interface version 6.5. Users should upgrade to this version or later to remediate the XSS vulnerability. The patch implements proper output escaping for client hostnames and IP addresses rendered in network.js and charts.js/index.js.
For detailed information about the fix, refer to the Pi-hole security advisory on GitHub.
Workarounds
- Limit access to the Pi-hole admin interface to trusted administrators only until patching is complete
- Implement strict Content Security Policy (CSP) headers to block inline script execution as an additional layer of defense
- Monitor FTL database entries for suspicious content and sanitize any anomalous hostnames or IP addresses manually
- Consider placing the Pi-hole admin interface behind a VPN or reverse proxy with additional authentication controls
# Example: Restrict access to Pi-hole admin interface by IP
# Add to /etc/lighttpd/external.conf or equivalent web server config
$HTTP["remoteip"] != "192.168.1.0/24" {
url.access-deny = ( "/admin" )
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
