Approved changes feed: RSS · Atom

cpe:2.3:a:pi-hole:pi-hole:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorPi Hole (525d0520-023b-5ac7-adae-b0bb743ce667)
ProductPi Hole (78c250c9-8027-5223-a813-a347760e361e)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/pi-hole/adminlte purl2cpe 2026-06-01 10:10:56.987500
pkg:github/pi-hole/pi-hole purl2cpe 2026-06-01 10:10:56.987502

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-41489 vulnerable 2026-06-08 08:03:15.478586 Pi-hole: Local privilege escalation via config-controlled path in root-executed service hooks
HIGH (8.8)
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.
Published: 2026-05-11T20:21:38.905Z
Updated: 2026-05-13T14:39:33.663Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33727 vulnerable 2026-06-08 07:59:10.659097 Pi-hole has a Local Privilege Escalation (post-compromise, pihole -> root).
MEDIUM (6.4)
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1.
Published: 2026-04-06T15:02:19.693Z
Updated: 2026-04-07T13:06:34.177Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-34087 vulnerable 2026-06-08 07:19:02.166195 Pi-Hole AdminLTE Whitelist (now 'Web Allowlist') Remote Command Execution
An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user. This behavior was present in the legacy AdminLTE interface and has since been patched in later versions.
Published: 2025-07-03T19:46:49.017Z
Updated: 2026-05-15T11:14:37.802Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-44069 vulnerable 2026-06-08 06:45:53.558413 Details available
Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dashboard. NOTE: the supplier reportedly does "not consider the bug a security issue" but the specific motivation for letting arbitrary persons change the value (Celsius, Fahrenheit, or Kelvin), seen by the device owner, is unclear.
Published: 2024-08-19T00:00:00.000Z
Updated: 2024-10-29T20:25:31.467Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-34361 vulnerable 2026-06-08 06:37:33.174595 Pi-hole Blind Server-Side Request Forgery (SSRF) vulnerability can lead to Remote Code Execution (RCE)
HIGH (8.6)
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()` function. Depending on some circumstances, the vulnerability could lead to remote command execution. Version 5.18.3 contains a patch for this issue.
Published: 2024-07-05T18:30:01.314Z
Updated: 2024-08-02T02:51:10.981Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-28247 vulnerable 2026-06-08 06:33:26.813798 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-32793 vulnerable 2026-06-08 05:32:08.040795 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-32706 vulnerable 2026-06-08 05:32:07.881623 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-29449 vulnerable 2026-06-08 05:31:26.384904 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-8816 vulnerable 2026-06-08 05:27:19.719374 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-35659 vulnerable 2026-06-08 05:25:01.489274 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-14971 vulnerable 2026-06-08 05:19:25.051343 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-14162 vulnerable 2026-06-08 05:19:22.566980 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-12620 vulnerable 2026-06-08 05:17:58.642395 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-11108 vulnerable 2026-06-08 05:16:36.460387 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.