Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled $_POST['webtheme'] parameter and concatenates it directly into a system command executed via PHP's exec() function. Since the input is neither sanitized nor validated before being passed to the shell, an attacker can append arbitrary system commands to the intended pihole command. Furthermore, because the command is executed with sudo privileges, the injected commands will run with elevated (likely root) privileges. Version 6.0 patches the issue.
AnalysisAI
Remote code execution with root privileges in Pi-hole Admin Interface versions prior to 6.0 allows unauthenticated attackers to execute arbitrary system commands. The vulnerability stems from unsanitized user input in the 'webtheme' parameter being concatenated directly into sudo-privileged exec() calls in savesettings.php. With CVSS 8.9 (Critical), network-accessible attack vector, and low complexity, this represents a severe compromise risk for Pi-hole deployments exposed to untrusted networks. Proof-of-concept code exists (CVSS E:P metric indicates exploitation proof available).
Technical ContextAI
Pi-hole is a DNS-based network-wide ad blocking solution that runs as a lightweight service on Linux systems. The vulnerability (CWE-78: OS Command Injection) exists in the PHP-based administrative web interface, specifically in savesettings.php. This file processes user-supplied configuration data through POST requests. The vulnerable code path takes the $_POST['webtheme'] parameter and directly concatenates it into a system command string passed to PHP's exec() function, which is wrapped with sudo for privilege elevation. Without input sanitization, validation, or parameterization, attackers can inject shell metacharacters (semicolons, pipes, backticks) to break out of the intended command context and execute arbitrary code. Since the parent process runs with sudo privileges, injected commands inherit root-level access to the underlying operating system, enabling complete system compromise.
RemediationAI
Immediately upgrade Pi-hole Admin Interface to version 6.0 or later, which contains patches eliminating the command injection vulnerability through proper input validation and sanitization. Administrators should update using Pi-hole's standard update mechanism (pihole -up command) or by manually pulling the latest web interface code from the official repository. Until patching is complete, implement defense-in-depth controls: restrict web interface access through firewall rules to trusted IP ranges only, disable external internet access to the admin interface (typically port 80/443), or place Pi-hole behind a VPN or jump host for administrative access. Do not expose the admin interface to untrusted networks or the public internet. Verify successful upgrade by checking the version in the web interface footer or via pihole -v command. Review system logs for suspicious command execution patterns in Apache/lighttpd access logs and system audit logs to identify potential compromise prior to patching. Consult the official vendor advisory at https://github.com/pi-hole/web/security/advisories/GHSA-828h-5x96-rqx7 for additional mitigation guidance.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16781