What is the CVSS score of EUVD-2026-19281?

EUVD-2026-19281 has a CVSS 3.1 base score of 3.4 (Low). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for EUVD-2026-19281?

Yes, a patch is available for EUVD-2026-19281. Update the affected software to the latest version immediately.

Web Interface EUVD-2026-19281

| CVE-2026-33404 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-04-06 security-advisories@github.com

XSS Web Interface

3.4

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

3.4 LOW

AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

6.5

EUVD ID Assigned

Apr 06, 2026 - 15:22 euvd

EUVD-2026-19281

Analysis Generated

Apr 06, 2026 - 15:22 vuln.today

CVE Published

Apr 06, 2026 - 15:17 nvd

LOW 3.4

DescriptionGitHub Advisory

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping - an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.

AnalysisAI

Pi-hole Admin Interface versions 6.0 through 6.4 fail to escape client hostnames and IP addresses from the FTL database when rendering them into the DOM in the Network page and Dashboard chart tooltips, enabling stored cross-site scripting (XSS) attacks. An authenticated admin with high privileges can inject malicious scripts that execute in the context of other administrators' browsers, though the attack requires initial compromise of a DHCP/DNS client hostname field and circumvention of upstream validation in dnsmasq and FTL. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS v3.1 score of 3.4 reflects a low-severity locally-exploitable vulnerability (AV:L = local attack vector, AC:L = low complexity, PR:H = high privilege required, UI:N = no user interaction, S:U = unchanged scope, C:L = low confidentiality impact, I:L = low integrity impact, A:N = no availability impact). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with admin credentials (or who compromises an admin account) adds a malicious hostname such as '<img src=x onerror="alert(document.cookie)"></img>' to a client device via DHCP reservation or direct database manipulation. When another admin views the Network page or hovers over a Dashboard chart tooltip displaying this client, the JavaScript payload executes in their browser context with full access to the Pi-hole Admin Interface session, potentially allowing theft of admin session tokens or defacement of Pi-hole settings. …
Remediation	Upgrade Pi-hole Admin Interface to version 6.5 or later, which implements output escaping for client hostnames and IP addresses in network.js and charts.js/index.js. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-19281 vulnerability details – vuln.today

Back