CVE-2026-33406
Pi-hole Admin Interface (6.0–before 6.5) contains a stored HTML attribute injection in the /api/config values embedded into HTML value="" attributes via settings-advanced.js, enabling attribute-level manipulation. The root cause is unescaped config values, which can break out of the attribute con...