{"id":"CVE-2026-33405","summary":"Pi-hole has a Stored HTML Injection in queries.js","details":"Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5.","aliases":["GHSA-jx8x-mj2r-62vq"],"modified":"2026-07-15T01:49:21.363849501Z","published":"2026-04-06T15:23:32.750Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33405.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33405.json"},{"type":"ADVISORY","url":"https://github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33405"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pi-hole/web","events":[{"introduced":"a66d859aecb427faad6adfce144fd97fbeb26a13"},{"fixed":"7a17e01c28eeb7af2c43384eccf5d859e3061371"}],"database_specific":{"extracted_events":[{"introduced":"6.0"},{"fixed":"6.5"},{"last_affected":"6.4.1"}],"source":["AFFECTED_FIELD","CPE_RANGE"],"cpe":"cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*"}}],"versions":["v6.4.1","v6.4","v6.3","v6.2.1","v6.1","v6.0.2","v6.0.1","v6.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33405.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N"}]}