What is the CVSS score of EUVD-2026-19283?

EUVD-2026-19283 has a CVSS 3.1 base score of 3.1 (Low). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for EUVD-2026-19283?

Yes, a patch is available for EUVD-2026-19283. Update the affected software to the latest version immediately.

Web EUVD-2026-19283

| CVE-2026-33405 LOW

Cross-site Scripting (XSS) (CWE-79)

2026-04-06 GitHub_M

XSS Web

3.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

3.1 LOW

AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

6.5

EUVD ID Assigned

Apr 06, 2026 - 15:30 euvd

EUVD-2026-19283

Analysis Generated

Apr 06, 2026 - 15:30 vuln.today

CVE Published

Apr 06, 2026 - 15:23 nvd

LOW 3.1

DescriptionGitHub Advisory

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5.

AnalysisAI

Stored HTML injection in Pi-hole Admin Interface versions 6.0 through 6.4 allows authenticated high-privilege users to inject unescaped HTML into query log details via the formatInfo() function, affecting the upstream, client IP, and error description fields. JavaScript execution is mitigated by Content Security Policy, limiting the practical impact to HTML-based attacks such as DOM manipulation or phishing content injection. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	CVSS 3.1 reflects low overall severity due to four mitigating factors: local attack vector (AV:L) limits reach to users with direct web console access, high privilege requirement (PR:H) restricts exploitation to administrators, user interaction required (UI:R) necessitates victim action to expand a query row, and confidentiality/integrity impact are low (C:L, I:L) with no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated administrator with high-privilege access to the Pi-hole web console expands a query row in the Query Log containing attacker-controlled data in the upstream field (e.g., a malicious upstream DNS name or response that was captured as a query). The formatInfo() function renders this unescaped HTML, allowing injection of DOM elements such as `<img>` tags with malicious src attributes or `<iframe>` elements to redirect users. …
Remediation	Vendor-released patch: Pi-hole Admin Interface version 6.5 and later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-19283 vulnerability details – vuln.today

Back