Pi Hole
by Pi Hole
Source repositories
CVEs (31)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-33765 | Cri | 0.57 | 9.8 | 0.01 | Mar 27, 2026 | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled… | ||
| CVE-2026-44693 | Hig | 0.50 | 8.8 | 0.00 | Jun 10, 2026 | Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based… | ||
| CVE-2026-41489 | Hig | 0.50 | 8.8 | 0.00 | May 11, 2026 | Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid… | ||
| CVE-2026-39849 | Hig | 0.50 | 8.8 | 0.01 | May 5, 2026 | Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives… | ||
| CVE-2021-29449 | Med | 0.45 | 6.3 | 0.02 | Apr 14, 2021 | Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details. | ||
| CVE-2026-33727 | Med | 0.42 | 6.4 | 0.00 | Apr 6, 2026 | Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this… | ||
| CVE-2020-8816 | 0.15 | — | 0.78 | KEV | May 29, 2020 | Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease. | ||
| CVE-2020-11108 | 0.10 | — | 0.78 | May 11, 2020 | The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to… | |||
| CVE-2025-34087 | 0.09 | — | 0.05 | Jul 3, 2025 | An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are… | |||
| CVE-2021-32706 | 0.08 | — | 0.60 | Aug 4, 2021 | Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the `validDomainWildcard` preg_match filter allows a malicious character through that can be used to execute code,… | |||
| CVE-2022-23513 | 0.04 | — | 0.40 | Dec 22, 2022 | Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of… | |||
| CVE-2019-13051 | 0.01 | — | 0.12 | Oct 9, 2019 | Pi-Hole 4.3 allows Command Injection. | |||
| CVE-2026-26953 | 0.00 | — | 0.00 | Feb 19, 2026 | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker… | |||
| CVE-2026-26952 | 0.00 | — | 0.00 | Feb 19, 2026 | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through the local DNS records configuration page, which allows an authenticated… | |||
| CVE-2025-32785 | 0.00 | — | 0.00 | Oct 27, 2025 | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions prior to 6.3 are vulnerable to cross-site scripting (XSS) via the Address field in the Subscribed Lists… | |||
| CVE-2024-44069 | 0.00 | — | 0.00 | Aug 19, 2024 | Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dashboard. NOTE: the supplier reportedly does "not consider the bug a security issue" but the specific motivation for letting arbitrary persons change the value… | |||
| CVE-2024-34361 | 0.00 | — | 0.03 | Jul 5, 2024 | Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()`… | |||
| CVE-2024-28247 | 0.00 | — | 0.01 | Mar 27, 2024 | The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software. A vulnerability has been discovered in Pihole that allows an authenticated user on the platform to read internal server files arbitrarily, and because the… | |||
| CVE-2023-23614 | 0.00 | — | 0.01 | Jan 26, 2023 | Pi-hole®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value makes… | |||
| CVE-2022-31029 | 0.00 | — | 0.00 | Jul 7, 2022 | AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `` in the field marked with "Domain to look for" and hitting enter (or clicking on any of the buttons) will execute the script. The user… |
- risk 0.57cvss 9.8epss 0.01
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled…
- risk 0.50cvss 8.8epss 0.00
Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based…
- risk 0.50cvss 8.8epss 0.00
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid…
- risk 0.50cvss 8.8epss 0.01
Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives…
- risk 0.45cvss 6.3epss 0.02
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.
- risk 0.42cvss 6.4epss 0.00
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this…
- risk 0.15cvss —epss 0.78
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
- CVE-2020-11108May 11, 2020risk 0.10cvss —epss 0.78
The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. (Also, it can be used in conjunction with the sudo rule for the www-data user to…
- CVE-2025-34087Jul 3, 2025risk 0.09cvss —epss 0.05
An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are…
- CVE-2021-32706Aug 4, 2021risk 0.08cvss —epss 0.60
Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the `validDomainWildcard` preg_match filter allows a malicious character through that can be used to execute code,…
- CVE-2022-23513Dec 22, 2022risk 0.04cvss —epss 0.40
Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of…
- CVE-2019-13051Oct 9, 2019risk 0.01cvss —epss 0.12
Pi-Hole 4.3 allows Command Injection.
- CVE-2026-26953Feb 19, 2026risk 0.00cvss —epss 0.00
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker…
- CVE-2026-26952Feb 19, 2026risk 0.00cvss —epss 0.00
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through the local DNS records configuration page, which allows an authenticated…
- CVE-2025-32785Oct 27, 2025risk 0.00cvss —epss 0.00
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions prior to 6.3 are vulnerable to cross-site scripting (XSS) via the Address field in the Subscribed Lists…
- CVE-2024-44069Aug 19, 2024risk 0.00cvss —epss 0.00
Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dashboard. NOTE: the supplier reportedly does "not consider the bug a security issue" but the specific motivation for letting arbitrary persons change the value…
- CVE-2024-34361Jul 5, 2024risk 0.00cvss —epss 0.03
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()`…
- CVE-2024-28247Mar 27, 2024risk 0.00cvss —epss 0.01
The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software. A vulnerability has been discovered in Pihole that allows an authenticated user on the platform to read internal server files arbitrarily, and because the…
- CVE-2023-23614Jan 26, 2023risk 0.00cvss —epss 0.01
Pi-hole®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value makes…
- CVE-2022-31029Jul 7, 2022risk 0.00cvss —epss 0.00
AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `` in the field marked with "Domain to look for" and hitting enter (or clicking on any of the buttons) will execute the script. The user…
Page 1 of 2