Skip to main content

Pi Hole

17 CVEs product

Monthly

CVE-2026-41489 HIGH PATCH This Week

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.

Privilege Escalation Pi Hole
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33727 MEDIUM PATCH This Month

Pi-hole 6.4 allows local privilege escalation to root code execution via insecure sourcing of attacker-controlled content in /etc/pihole/versions by root-run scripts. A compromised low-privilege pihole account can inject malicious code that executes with root privileges, despite the pihole account using nologin shell. This vulnerability is fixed in version 6.4.1.

Privilege Escalation RCE Pi Hole
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-34087 HIGH POC THREAT Act Now

Pi-hole versions up to 3.3 contain an authenticated command injection via the domain allowlist functionality. When adding a domain, the domain parameter is passed to OS commands without sanitization, allowing administrators to execute arbitrary commands with the Pi-hole daemon's privileges.

Command Injection Pi Hole
NVD GitHub
CVSS 3.1
8.8
EPSS
46.7%
Threat
4.7
CVE-2024-44069 HIGH POC This Week

Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dashboard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP Pi Hole
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-34361 HIGH POC PATCH This Week

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Pi Hole
NVD GitHub
CVSS 3.1
8.8
EPSS
2.8%
CVE-2024-28247 MEDIUM POC PATCH This Month

The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Pi Hole
NVD GitHub
CVSS 3.1
6.5
EPSS
1.4%
CVE-2021-32793 MEDIUM POC This Month

Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pi Hole
NVD GitHub
CVSS 3.1
4.8
EPSS
0.8%
CVE-2021-32706 HIGH POC THREAT This Week

Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Pi Hole
NVD GitHub
CVSS 3.1
8.8
EPSS
60.2%
CVE-2021-29448 HIGH POC This Week

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ftldns Pi Hole Web Interface
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2021-29449 MEDIUM POC THREAT This Month

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated medium severity (CVSS 6.3), this vulnerability is low attack complexity. Public exploit code available and EPSS exploitation probability 11.4%.

Privilege Escalation Pi Hole
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
11.4%
CVE-2020-35659 MEDIUM PATCH This Month

The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Pi Hole
NVD GitHub
CVSS 3.1
6.1
EPSS
0.9%
CVE-2020-14162 HIGH POC This Week

An issue was discovered in Pi-Hole through 5.0. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Pi Hole
NVD
CVSS 3.1
7.8
EPSS
0.6%
CVE-2020-12620 HIGH POC This Week

Pi-hole 4.4 allows a user able to write to /etc/pihole/dns-servers.conf to escalate privileges through command injection (shell metacharacters after an IP address). Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Pi Hole
NVD GitHub
CVSS 3.1
7.8
EPSS
1.5%
CVE-2020-14971 HIGH PATCH This Week

Pi-hole through 5.0 allows code injection in piholedhcp (the Static DHCP Leases section) by modifying Teleporter backup files and then restoring them. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass PHP Pi Hole
NVD GitHub
CVSS 3.1
7.8
EPSS
0.6%
CVE-2020-8816 HIGH POC KEV PATCH THREAT Act Now

Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Command Injection Pi Hole
NVD GitHub Exploit-DB
CVSS 3.1
7.2
EPSS
78.2%
CVE-2020-11108 HIGH POC THREAT Act Now

The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE PHP Pi Hole
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
78.3%
CVE-2019-13051 HIGH PATCH This Week

Pi-Hole 4.3 allows Command Injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Pi Hole
NVD GitHub
CVSS 3.1
8.8
EPSS
12.5%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.

Privilege Escalation Pi Hole
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Pi-hole 6.4 allows local privilege escalation to root code execution via insecure sourcing of attacker-controlled content in /etc/pihole/versions by root-run scripts. A compromised low-privilege pihole account can inject malicious code that executes with root privileges, despite the pihole account using nologin shell. This vulnerability is fixed in version 6.4.1.

Privilege Escalation RCE Pi Hole
NVD GitHub
EPSS 47% 4.7 CVSS 8.8
HIGH POC THREAT Act Now

Pi-hole versions up to 3.3 contain an authenticated command injection via the domain allowlist functionality. When adding a domain, the domain parameter is passed to OS commands without sanitization, allowing administrators to execute arbitrary commands with the Pi-hole daemon's privileges.

Command Injection Pi Hole
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dashboard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass PHP Pi Hole
NVD GitHub
EPSS 3% CVSS 8.8
HIGH POC PATCH This Week

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Pi Hole
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Pi Hole
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM POC This Month

Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Pi Hole
NVD GitHub
EPSS 60% CVSS 8.8
HIGH POC THREAT This Week

Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Pi Hole
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Ftldns Pi Hole +1
NVD GitHub
EPSS 11% CVSS 6.3
MEDIUM POC THREAT This Month

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated medium severity (CVSS 6.3), this vulnerability is low attack complexity. Public exploit code available and EPSS exploitation probability 11.4%.

Privilege Escalation Pi Hole
NVD GitHub VulDB
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Pi Hole
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC This Week

An issue was discovered in Pi-Hole through 5.0. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Pi Hole
NVD
EPSS 2% CVSS 7.8
HIGH POC This Week

Pi-hole 4.4 allows a user able to write to /etc/pihole/dns-servers.conf to escalate privileges through command injection (shell metacharacters after an IP address). Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Pi Hole
NVD GitHub
EPSS 1% CVSS 7.8
HIGH PATCH This Week

Pi-hole through 5.0 allows code injection in piholedhcp (the Static DHCP Leases section) by modifying Teleporter backup files and then restoring them. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass PHP Pi Hole
NVD GitHub
EPSS 78% CVSS 7.2
HIGH POC KEV PATCH THREAT Act Now

Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Command Injection Pi Hole
NVD GitHub Exploit-DB
EPSS 78% CVSS 8.8
HIGH POC THREAT Act Now

The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE PHP +1
NVD GitHub Exploit-DB
EPSS 12% CVSS 8.8
HIGH PATCH This Week

Pi-Hole 4.3 allows Command Injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Pi Hole
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy