VYPR

Pi Hole

by Pi Hole

Source repositories

CVEs (31)

  • CVE-2026-33765CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.01

    Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled…

  • CVE-2026-44693HigJun 10, 2026
    risk 0.50cvss 8.8epss 0.00

    Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based…

  • CVE-2026-41489HigMay 11, 2026
    risk 0.50cvss 8.8epss 0.00

    Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid…

  • CVE-2026-39849HigMay 5, 2026
    risk 0.50cvss 8.8epss 0.01

    Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives…

  • CVE-2021-29449MedApr 14, 2021
    risk 0.45cvss 6.3epss 0.02

    Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.

  • CVE-2026-33727MedApr 6, 2026
    risk 0.42cvss 6.4epss 0.00

    Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this…

  • CVE-2020-8816KEVMay 29, 2020
    risk 0.15cvss epss 0.78

    Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.

  • CVE-2020-11108May 11, 2020
    risk 0.10cvss epss 0.78

    The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to…

  • CVE-2025-34087Jul 3, 2025
    risk 0.09cvss epss 0.05

    An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are…

  • CVE-2021-32706Aug 4, 2021
    risk 0.08cvss epss 0.60

    Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the `validDomainWildcard` preg_match filter allows a malicious character through that can be used to execute code,…

  • CVE-2022-23513Dec 22, 2022
    risk 0.04cvss epss 0.40

    Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of…

  • CVE-2019-13051Oct 9, 2019
    risk 0.01cvss epss 0.12

    Pi-Hole 4.3 allows Command Injection.

  • CVE-2026-26953Feb 19, 2026
    risk 0.00cvss epss 0.00

    Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker…

  • CVE-2026-26952Feb 19, 2026
    risk 0.00cvss epss 0.00

    Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through the local DNS records configuration page, which allows an authenticated…

  • CVE-2025-32785Oct 27, 2025
    risk 0.00cvss epss 0.00

    Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions prior to 6.3 are vulnerable to cross-site scripting (XSS) via the Address field in the Subscribed Lists…

  • CVE-2024-44069Aug 19, 2024
    risk 0.00cvss epss 0.00

    Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dashboard. NOTE: the supplier reportedly does "not consider the bug a security issue" but the specific motivation for letting arbitrary persons change the value…

  • CVE-2024-34361Jul 5, 2024
    risk 0.00cvss epss 0.03

    Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()`…

  • CVE-2024-28247Mar 27, 2024
    risk 0.00cvss epss 0.01

    The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software. A vulnerability has been discovered in Pihole that allows an authenticated user on the platform to read internal server files arbitrarily, and because the…

  • CVE-2023-23614Jan 26, 2023
    risk 0.00cvss epss 0.01

    Pi-hole®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value makes…

  • CVE-2022-31029Jul 7, 2022
    risk 0.00cvss epss 0.00

    AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `` in the field marked with "Domain to look for" and hitting enter (or clicking on any of the buttons) will execute the script. The user…

Page 1 of 2