anonhaven
Ad

CVE-2025-53533

MEDIUM CVSS 3.1: 6.1 EPSS 0.18%
Updated Dec 18, 2025
Pi-Hole
Parameter Value
CVSS 6.1 (MEDIUM)
Affected Versions before 6.3
Fixed In 6.3
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Pi-Hole
Public PoC No

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions 6.2.1 and earlier are vulnerable to reflected cross-site scripting (XSS) via a malformed URL path. The 404 error page includes the requested path in the class attribute of the body tag without proper sanitization or escaping.

An attacker can craft a URL containing an onload attribute that will execute arbitrary JavaScript code in the browser when a victim visits the malicious link. If an attacker sends a crafted pi-hole link to a victim and the victim visits it, attacker-controlled JavaScript code is executed in the browser of the victim. This has been patched in version 6.3.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Pi-Hole Web_Interface
cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*
 6.3

References 1

https://github.com/pi-hole/web/security/advisories/GHSA-w8f8-92rx-4f6w
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-35491

Pi-Hole

6.1

CVE-2026-33727

Pi-Hole

6.7

CVE-2026-33405

Pi-Hole

4.8

CVE-2026-33403

Pi-Hole

6.1

CVE-2026-33765

PHP

8.9