Approved changes feed: RSS · Atom
cpe:2.3:a:pi-hole:pi-hole:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Pi Hole (525d0520-023b-5ac7-adae-b0bb743ce667) |
|---|---|
| Product | Pi Hole (78c250c9-8027-5223-a813-a347760e361e) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/pi-hole/adminlte |
purl2cpe | 2026-06-01 10:10:56.987500 |
pkg:github/pi-hole/pi-hole |
purl2cpe | 2026-06-01 10:10:56.987502 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-41489 |
vulnerable | 2026-06-08 08:03:15.478586 |
Pi-hole: Local privilege escalation via config-controlled path in root-executed service hooks
HIGH (8.8)
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.
Published: 2026-05-11T20:21:38.905Z
Updated: 2026-05-13T14:39:33.663Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33727 |
vulnerable | 2026-06-08 07:59:10.659097 |
Pi-hole has a Local Privilege Escalation (post-compromise, pihole -> root).
MEDIUM (6.4)
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1.
Published: 2026-04-06T15:02:19.693Z
Updated: 2026-04-07T13:06:34.177Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-34087 |
vulnerable | 2026-06-08 07:19:02.166195 |
Pi-Hole AdminLTE Whitelist (now 'Web Allowlist') Remote Command Execution
An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user.
This behavior was present in the legacy AdminLTE interface and has since been patched in later versions.
Published: 2025-07-03T19:46:49.017Z
Updated: 2026-05-15T11:14:37.802Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-44069 |
vulnerable | 2026-06-08 06:45:53.558413 |
Details available
Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dashboard. NOTE: the supplier reportedly does "not consider the bug a security issue" but the specific motivation for letting arbitrary persons change the value (Celsius, Fahrenheit, or Kelvin), seen by the device owner, is unclear.
Published: 2024-08-19T00:00:00.000Z
Updated: 2024-10-29T20:25:31.467Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-34361 |
vulnerable | 2026-06-08 06:37:33.174595 |
Pi-hole Blind Server-Side Request Forgery (SSRF) vulnerability can lead to Remote Code Execution (RCE)
HIGH (8.6)
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()` function. Depending on some circumstances, the vulnerability could lead to remote command execution. Version 5.18.3 contains a patch for this issue.
Published: 2024-07-05T18:30:01.314Z
Updated: 2024-08-02T02:51:10.981Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-28247 |
vulnerable | 2026-06-08 06:33:26.813798 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-32793 |
vulnerable | 2026-06-08 05:32:08.040795 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-32706 |
vulnerable | 2026-06-08 05:32:07.881623 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-29449 |
vulnerable | 2026-06-08 05:31:26.384904 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-8816 |
vulnerable | 2026-06-08 05:27:19.719374 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-35659 |
vulnerable | 2026-06-08 05:25:01.489274 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-14971 |
vulnerable | 2026-06-08 05:19:25.051343 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-14162 |
vulnerable | 2026-06-08 05:19:22.566980 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-12620 |
vulnerable | 2026-06-08 05:17:58.642395 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-11108 |
vulnerable | 2026-06-08 05:16:36.460387 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.