CVE-2025-53533

Name of the Vulnerable Software and Affected Versions Pi-hole Admin Interface versions 6.2.1 and earlier

Description The Pi-hole Admin Interface, a web interface for managing the Pi-hole network-level advertisement and internet tracker blocking application, is susceptible to reflected cross-site scripting (XSS). This occurs due to a malformed URL path that is improperly handled on the 404 error page. Specifically, the requested path is included in the class attribute of the body tag without adequate sanitization or escaping. An attacker can exploit this by crafting a URL containing an onload attribute, which will execute arbitrary JavaScript code in the victim's browser when the malicious link is visited. Successful exploitation requires an attacker to send a crafted link to a victim, leading to the execution of attacker-controlled JavaScript code within the victim's browser session.

Recommendations Update to version 6.3 or later.