EUVD-2026-19283

| CVE-2026-33405 LOW
2026-04-06 GitHub_M
3.1
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Apr 06, 2026 - 15:30 vuln.today
EUVD ID Assigned
Apr 06, 2026 - 15:30 euvd
EUVD-2026-19283
CVE Published
Apr 06, 2026 - 15:23 nvd
LOW 3.1

Tags

XSS

Description

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5.

Analysis

Stored HTML injection in Pi-hole Admin Interface versions 6.0 through 6.4 allows authenticated high-privilege users to inject unescaped HTML into query log details via the formatInfo() function, affecting the upstream, client IP, and error description fields. JavaScript execution is mitigated by Content Security Policy, limiting the practical impact to HTML-based attacks such as DOM manipulation or phishing content injection. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

16
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +16
POC: 0

Share

EUVD-2026-19283 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy