Skip to main content

Pi Hole CVE-2025-34087

| EUVDEUVD-2025-19902 HIGH
OS Command Injection (CWE-78)
2025-07-03 disclosure@vulncheck.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 16, 2026 - 02:12 euvd
EUVD-2025-19902
Analysis Generated
Mar 16, 2026 - 02:12 vuln.today
PoC Detected
Oct 01, 2025 - 14:08 vuln.today
Public exploit code
CVE Published
Jul 03, 2025 - 20:15 nvd
HIGH 8.8

DescriptionCVE.org

An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user.

This behavior was present in the legacy AdminLTE interface and has since been patched in later versions.

AnalysisAI

Pi-hole versions up to 3.3 contain an authenticated command injection via the domain allowlist functionality. When adding a domain, the domain parameter is passed to OS commands without sanitization, allowing administrators to execute arbitrary commands with the Pi-hole daemon's privileges.

Technical ContextAI

The web interface's allowlist functionality passes the domain parameter to shell commands for updating DNS configuration. Shell metacharacters in the domain field are not sanitized, allowing command injection. Commands execute with the pihole user's privileges, which include sudo rights for DNS management.

RemediationAI

Update Pi-hole to the latest version. Use a strong admin password. Restrict Pi-hole admin interface access to trusted devices. Monitor DNS query logs for unusual resolution patterns.

CVE-2020-11108 HIGH POC
8.8 May 11

The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. Rated high sever

CVE-2021-29449 MEDIUM POC
6.3 Apr 14

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated medium severity (CVSS 6.

CVE-2020-8816 HIGH POC
7.2 May 29

Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static l

CVE-2024-34361 HIGH POC
8.8 Jul 05

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. Rated

CVE-2021-32706 HIGH POC
8.8 Aug 04

Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rate

CVE-2021-29448 HIGH POC
8.8 Apr 15

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated high severity (CVSS 8.8)

CVE-2020-14162 HIGH POC
7.8 Jul 30

An issue was discovered in Pi-Hole through 5.0. Rated high severity (CVSS 7.8), this vulnerability is low attack complex

CVE-2020-12620 HIGH POC
7.8 Jul 30

Pi-hole 4.4 allows a user able to write to /etc/pihole/dns-servers.conf to escalate privileges through command injection

CVE-2024-44069 HIGH POC
7.5 Aug 19

Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dash

CVE-2024-28247 MEDIUM POC
6.5 Mar 27

The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side softwa

CVE-2026-41489 HIGH
8.8 May 11

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From

CVE-2021-32793 MEDIUM POC
4.8 Aug 04

Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rate

Share

CVE-2025-34087 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy