Approved changes feed: RSS · Atom

cpe:2.3:a:pi-hole:pi-hole:5.1:*:*:*:*:*:*:*

part: a version: 5.1 update: *

VendorPi Hole (525d0520-023b-5ac7-adae-b0bb743ce667)
ProductPi Hole (78c250c9-8027-5223-a813-a347760e361e)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from NVD CPE 2.0 feed

PURL mappings

PURLSourceLast updated
pkg:github/pi-hole/adminlte purl2cpe 2026-06-01 10:10:56.987657
pkg:github/pi-hole/pi-hole purl2cpe 2026-06-01 10:10:56.987658

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2024-34361 vulnerable 2026-06-08 06:37:33.173804 Pi-hole Blind Server-Side Request Forgery (SSRF) vulnerability can lead to Remote Code Execution (RCE)
HIGH (8.6)
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()` function. Depending on some circumstances, the vulnerability could lead to remote command execution. Version 5.18.3 contains a patch for this issue.
Published: 2024-07-05T18:30:01.314Z
Updated: 2024-08-02T02:51:10.981Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-35592 vulnerable 2026-06-08 05:25:01.420769 Details available
Pi-hole 5.0, 5.1, and 5.1.1 allows XSS via the Options header to the admin/ URI. A remote user is able to inject arbitrary web script or HTML due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against other users and steal the session cookie.
Published: 2021-02-18T19:29:40.000Z
Updated: 2024-08-04T17:09:14.207Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-35591 vulnerable 2026-06-08 05:25:01.419349 Details available
Pi-hole 5.0, 5.1, and 5.1.1 allows Session Fixation. The application does not generate a new session cookie after the user is logged in. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.
Published: 2021-02-18T19:26:56.000Z
Updated: 2024-08-04T17:09:14.106Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.