Disclosure

Summary Field Value CVE ID CVE-2026-33403 Advisory GHSA-7xqw-r9pr-qv59 Vulnerability Type Reflected DOM-based XSS / HTML Injection Attack Vector Network CVSS v3.1 Base Score 6.1 (Medium) CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Affected Versions Pi-hole Web v6.0 through v6.4.1 Patched Version v6.5 Discovered By Mohammed Alzahrani, andrejtomci, n1rwhex Description Pi-hole Web versions 6.0 through 6.4.1 contain a reflected XSS / HTML injection vulnerability in scripts/js/taillog.js. The file query parameter is used in an error message that is inserted directly into the DOM via innerHTML without sanitization or escaping. ...

Summary Field Value CVE ID CVE-2026-35491 Advisory GHSA-r7g8-3fj7-m5qq Vulnerability Type Authorization Bypass CWE CWE-863: Incorrect Authorization Attack Vector Local CVSS v3.1 Base Score 6.1 (Medium) CVSS v3.1 Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L Affected Versions Pi-hole FTL >= 6.0 through 6.5 Patched Version 6.6 Discovered By Mohammed Alzahrani Description Pi-hole FTL versions 6.0 through 6.5 contain an authorization bypass in the Teleporter import endpoint. CLI-scoped API sessions — intended for read-only operations — are properly rejected by /api/config with HTTP 403, but the /api/teleporter endpoint lacks equivalent authorization checks. ...

Summary Field Value CVE ID CVE-2026-37762 Vulnerability Type Missing Authentication / Insecure Permissions CWE CWE-306, CWE-732 Attack Vector Network (Adjacent) CVSS v3.1 Base Score 8.8 (High) CVSS v3.1 Vector CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Assigned By MITRE Status Published Discovered By Mohammed Alzahrani Affected Products Field Value Device Skyworth SW-22AE NF (MediaTek m7332 platform) Firmware Build SW/SW6H_TG_NF/SW6H:11/RTT2.220103.001/20250701:user/release-keys Android Version 11 Security Patch 2025-06-01 Vulnerable App com.smartdevice.dailyshortcut (DailyHub) App Version 1.0.268.250721 (versionCode 1000268) System UID userId=1000 Code Path /system_ext/app/DailyHub Description The DailyHub system application (com.smartdevice.dailyshortcut), pre-installed on Skyworth Android TV devices, exposes two unauthenticated network services: ...