CVE-2025-53533
published 2025-10-27CVE-2025-53533: Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin…
PriorityP339medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
0.56%
42.6th percentile
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions 6.2.1 and earlier are vulnerable to reflected cross-site scripting (XSS) via a malformed URL path. The 404 error page includes the requested path in the class attribute of the body tag without proper sanitization or escaping. An attacker can craft a URL containing an onload attribute that will execute arbitrary JavaScript code in the browser when a victim visits the malicious link. If an attacker sends a crafted pi-hole link to a victim and the victim visits it, attacker-controlled JavaScript code is executed in the browser of the victim. This has been patched in version 6.3.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pi-hole | web | < 6.3 | 6.3 |
| pi-hole | web_interface | < 6.3 | 6.3 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
Pi-hole Reflected XSS in 404-Error Page
nuclei·CVSS 5.1
CVE-2025-53533 [MEDIUM] Pi-hole Reflected XSS in 404-Error Page
Pi-hole Reflected XSS in 404-Error Page
Pi-hole Admin Interface '
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"onload=alert(document.domain);>">'
- type: word
part: body
words:
- "pi-hole"
- type: status
status:
- 404
# digest: 490a0046304402203dc844a287fefd19c7f86d70103c36b80e5a66a05cd27a6494008027e2c0075a022001adb72f9c7b3da32389184626fc8cd8c39fac60fcfc84363e779f353fdb7c09:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2025-10-27
Published