What is the CVSS score of CVE-2026-33406?

CVE-2026-33406 has a CVSS 3.1 base score of 5.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-33406?

Yes, a patch is available for CVE-2026-33406. Update the affected software to the latest version immediately.

Web Interface CVE-2026-33406

EUVD-2026-19285 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-06 security-advisories@github.com

XSS Web Interface

5.4

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.4 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

6.5

EUVD ID Assigned

Apr 06, 2026 - 15:22 euvd

EUVD-2026-19285

Analysis Generated

Apr 06, 2026 - 15:22 vuln.today

CVE Published

Apr 06, 2026 - 15:17 nvd

MEDIUM 5.4

DescriptionGitHub Advisory

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5.

AnalysisAI

Stored cross-site scripting (XSS) via HTML attribute injection in Pi-hole Admin Interface versions 6.0 through 6.4 allows unauthenticated remote attackers to perform UI redressing and information disclosure by injecting double quotes into configuration values displayed in settings-advanced.js, exploitable through malicious teleporter backup imports that bypass server-side field validation.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	CVSS 5.4 (Medium) with CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N reflects network-accessible, low-complexity attack requiring user interaction (UI:R) but no privileges, yielding limited confidentiality and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a malicious Pi-hole teleporter backup file containing a double-quote-injected configuration value (e.g., a custom DNS record or blocklist name with payload like " style="display:none" "). When an admin imports this backup into their Pi-hole instance via the web interface, the config value is stored and later rendered unescaped in settings-advanced.js. …
Remediation	Vendor-released patch: upgrade to Pi-hole Admin Interface version 6.5 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33406 vulnerability details – vuln.today

Back