EUVD-2026-19281
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3Tags
Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping - an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.
Analysis
Pi-hole Admin Interface versions 6.0 through 6.4 fail to escape client hostnames and IP addresses from the FTL database when rendering them into the DOM in the Network page and Dashboard chart tooltips, enabling stored cross-site scripting (XSS) attacks. An authenticated admin with high privileges can inject malicious scripts that execute in the context of other administrators' browsers, though the attack requires initial compromise of a DHCP/DNS client hostname field and circumvention of upstream validation in dnsmasq and FTL. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today