Approved changes feed: RSS · Atom

cpe:2.3:a:pi-hole:adminlte:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorPi Hole (525d0520-023b-5ac7-adae-b0bb743ce667)
ProductAdminlte (2a36c28b-8c4e-599e-87b5-a723e27689ee)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/pi-hole/adminlte purl2cpe 2026-06-01 10:10:57.006497
pkg:rpm/opensuse/pi-hole-adminlte purl2cpe 2026-06-01 10:10:57.006499

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2023-23614 vulnerable 2026-06-08 05:56:03.778818 Improper session handling of "Remember me for 7 days" functionality
HIGH (8.8)
Pi-hole®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value makes it possible for an attacker to "pass the hash" to login or reuse a theoretically expired "remember me" cookie. It also exposes the hash over the network and stores it unnecessarily in the browser. The cookie itself is set to expire after 7 days but its value will remain valid as long as the admin password doesn't change. If a cookie is leaked or compromised it could be used forever as long as the admin password is not changed. An attacker that obtained the password hash via an other attack vector (for example a path traversal vulnerability) could use it to login as the admin by setting the hash as the cookie value without the need to crack it to obtain the admin password (pass the hash). The hash is exposed over the network and in the browser where the cookie is transmitted and stored. This issue is patched in version 5.18.3.
Published: 2023-01-26T10:15:21.120Z
Updated: 2025-03-10T21:19:20.064Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-31029 vulnerable 2026-06-08 05:43:40.014877 Authenticated XSS in Pi-hole AdminLTE
MEDIUM (5.9)
AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert("XSS")</script>` in the field marked with "Domain to look for" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. There are no known workarounds for this issue.
Published: 2022-07-07T21:55:10.000Z
Updated: 2025-04-23T18:03:57.709Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-23513 vulnerable 2026-06-08 05:40:57.675701 Pi-Hole/AdminLTE vulnerable due to improper access control in queryads endpoint
MEDIUM (5.3)
Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path: `/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.
Published: 2022-12-22T23:17:19.812Z
Updated: 2025-04-15T13:32:52.300Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-41175 vulnerable 2026-06-08 05:35:19.904282 Stored XSS in Client Groups Management (Authenticated)
HIGH (7.3)
Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8.
Published: 2021-10-26T14:10:12.000Z
Updated: 2024-08-04T02:59:31.690Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-32793 vulnerable 2026-06-08 05:32:08.040764 Stored XSS Vulnerability in the Pi-hole Webinterface
MEDIUM (5.7)
Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the function to add domains to blocklists or allowlists is vulnerable to a stored cross-site-scripting vulnerability. User input added as a wildcard domain to a blocklist or allowlist is unfiltered in the web interface. Since the payload is stored permanently as a wildcard domain, this is a persistent XSS vulnerability. A remote attacker can therefore attack administrative user accounts through client-side attacks. Pi-hole Web Interface version 5.5.1 contains a patch for this vulnerability.
Published: 2021-08-04T17:55:09.000Z
Updated: 2024-08-03T23:33:55.912Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-32706 vulnerable 2026-06-08 05:32:07.880672 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-29448 vulnerable 2026-06-08 05:31:26.381028 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.