Severity by source
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1.
AnalysisAI
Pi-hole 6.4 allows local privilege escalation to root code execution via insecure sourcing of attacker-controlled content in /etc/pihole/versions by root-run scripts. A compromised low-privilege pihole account can inject malicious code that executes with root privileges, despite the pihole account using nologin shell. This vulnerability is fixed in version 6.4.1.
Technical ContextAI
Pi-hole is a DNS-based ad-blocking service running on Linux systems. The vulnerability stems from CWE-269 (Improper Access Control) where root-privileged Pi-hole scripts source configuration or version data from /etc/pihole/versions without proper validation. The pihole account, though configured with nologin to prevent direct interactive login, can still execute code if a Pi-hole component is compromised (e.g., via a separate vulnerability in the web dashboard or FTL daemon). When root-run scripts then source attacker-modified files from /etc/pihole/versions, the injected code executes with root privileges. This pattern is a classic privilege escalation chain: initial compromise of the pihole account (which has legitimate process execution capabilities) followed by code injection into files trusted by root-level processes.
RemediationAI
Upgrade to Pi-hole version 6.4.1 or later, which fixes the insecure sourcing of version information. The vendor-released patch corrects the privilege escalation by implementing proper input validation and file ownership/permission controls for files sourced by root-run scripts. Administrators should apply the patch immediately to all Pi-hole 6.4 installations. Additional hardening steps include: verify that /etc/pihole/versions and related configuration files are owned by root with restricted write permissions (not writable by the pihole account), and review the Pi-hole security advisory at https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74 for detailed technical context and any interim mitigations if upgrading is delayed.
Pi-hole versions up to 3.3 contain an authenticated command injection via the domain allowlist functionality. When addin
The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. Rated high sever
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated medium severity (CVSS 6.
Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static l
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. Rated
Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rate
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated high severity (CVSS 8.8)
An issue was discovered in Pi-Hole through 5.0. Rated high severity (CVSS 7.8), this vulnerability is low attack complex
Pi-hole 4.4 allows a user able to write to /etc/pihole/dns-servers.conf to escalate privileges through command injection
Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dash
The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side softwa
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19291