Approved changes feed: RSS · Atom

cpe:2.3:a:pi-hole:web:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorPi Hole (525d0520-023b-5ac7-adae-b0bb743ce667)
ProductWeb (7bf912eb-5069-5503-a2e8-981664e95101)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-33765 vulnerable 2026-06-08 07:59:10.724382 Pi-hole Web Interface has a Command Injection Vulnerability
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled $_POST['webtheme'] parameter and concatenates it directly into a system command executed via PHP's exec() function. Since the input is neither sanitized nor validated before being passed to the shell, an attacker can append arbitrary system commands to the intended pihole command. Furthermore, because the command is executed with sudo privileges, the injected commands will run with elevated (likely root) privileges. Version 6.0 patches the issue.
Published: 2026-03-27T19:46:57.679Z
Updated: 2026-04-02T13:04:40.898Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33406 vulnerable 2026-06-08 07:59:09.879287 Pi-hole has a Stored HTML attribute injection
MEDIUM (5.4)
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5.
Published: 2026-04-06T14:50:35.670Z
Updated: 2026-04-07T14:08:17.918Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33405 vulnerable 2026-06-08 07:59:09.878886 Pi-hole has a Stored HTML Injection in queries.js
LOW (3.1)
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5.
Published: 2026-04-06T15:23:32.750Z
Updated: 2026-04-06T18:37:49.276Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33404 vulnerable 2026-06-08 07:59:09.878401 Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard
LOW (3.4)
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping — an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5.
Published: 2026-04-06T14:48:45.348Z
Updated: 2026-04-06T18:39:53.011Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33403 vulnerable 2026-06-08 07:59:09.876655 Pi-hole has a Reflected XSS / HTML injection in taillog.js
MEDIUM (6.1)
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <form> elements can exfiltrate credentials to an external origin. This vulnerability is fixed in 6.5.
Published: 2026-04-06T14:48:05.132Z
Updated: 2026-04-06T15:05:23.490Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-26953 vulnerable 2026-06-08 07:53:21.770696 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-26952 vulnerable 2026-06-08 07:53:21.769497 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-59151 vulnerable 2026-06-08 07:35:20.057638 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-53533 vulnerable 2026-06-08 07:31:14.676141 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-32785 vulnerable 2026-06-08 07:19:00.848780 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.