CVE-2025-32785

Name of the Vulnerable Software and Affected Versions Pi-hole Admin Interface versions prior to 6.3

Description The Pi-hole Admin Interface, a web interface for managing the Pi-hole advertisement and internet tracker blocking application, is susceptible to a cross-site scripting (XSS) issue. This occurs through the Address field within the Subscribed Lists group management section. An authenticated user can introduce malicious JavaScript code by adding a payload to the Address field during the creation or modification of a list entry. The vulnerability is activated when another user accesses the Tools section and initiates a gravity database update. The Address field lacks adequate input sanitization, permitting special characters and script tags to circumvent validation.

Recommendations Versions prior to 6.3 should be updated to version 6.3.