Skip to main content

Pi Hole CVE-2020-12620

HIGH
OS Command Injection (CWE-78)
2020-07-30 cve@mitre.org
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 30, 2020 - 14:15 nvd
HIGH 7.8

DescriptionNVD

Pi-hole 4.4 allows a user able to write to /etc/pihole/dns-servers.conf to escalate privileges through command injection (shell metacharacters after an IP address).

AnalysisAI

Pi-hole 4.4 allows a user able to write to /etc/pihole/dns-servers.conf to escalate privileges through command injection (shell metacharacters after an IP address). Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. Pi-hole 4.4 allows a user able to write to /etc/pihole/dns-servers.conf to escalate privileges through command injection (shell metacharacters after an IP address). Affected products include: Pi-Hole.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.

CVE-2025-34087 HIGH POC
8.8 Jul 03

Pi-hole versions up to 3.3 contain an authenticated command injection via the domain allowlist functionality. When addin

CVE-2020-11108 HIGH POC
8.8 May 11

The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. Rated high sever

CVE-2021-29449 MEDIUM POC
6.3 Apr 14

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated medium severity (CVSS 6.

CVE-2020-8816 HIGH POC
7.2 May 29

Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static l

CVE-2024-34361 HIGH POC
8.8 Jul 05

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. Rated

CVE-2021-32706 HIGH POC
8.8 Aug 04

Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rate

CVE-2021-29448 HIGH POC
8.8 Apr 15

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated high severity (CVSS 8.8)

CVE-2020-14162 HIGH POC
7.8 Jul 30

An issue was discovered in Pi-Hole through 5.0. Rated high severity (CVSS 7.8), this vulnerability is low attack complex

CVE-2024-44069 HIGH POC
7.5 Aug 19

Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dash

CVE-2024-28247 MEDIUM POC
6.5 Mar 27

The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side softwa

CVE-2026-41489 HIGH
8.8 May 11

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From

CVE-2021-32793 MEDIUM POC
4.8 Aug 04

Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rate

Share

CVE-2020-12620 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy