Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

pi-hole — Vulnerabilities & Security Advisories 31

Browse all 31 CVE security advisories affecting pi-hole. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Pi-hole operates as a network-wide ad and tracker blocking DNS sinkhole, primarily deployed in home and small business environments to filter malicious traffic at the network level. Historically, its security profile has been marred by critical flaws, including remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities within its web interface and API. These weaknesses often stemmed from insufficient input validation, allowing attackers to gain unauthorized administrative access or execute arbitrary commands on the underlying Linux system. With thirty-one Common Vulnerabilities and Exposures (CVEs) currently on record, the software has faced significant scrutiny regarding its codebase maintenance and patching speed. While it provides essential privacy benefits by blocking unwanted network requests, its history of privilege escalation and RCE risks highlights the importance of keeping the installation updated and restricting web interface access to trusted networks only.

Top products by pi-hole: web AdminLTE FTL pi-hole pi-hole/adminlte
CVE IDTitleCVSSSeverityPublished
CVE-2026-39849 Pi-hole FTL remote code execution via newline injection in dns.interface configuration — FTLCWE-93--2026-05-05
CVE-2026-35521 Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection — FTLCWE-78 8.8 High2026-04-07
CVE-2026-35520 Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.leaseTime Newline Injection — FTLCWE-78 8.8 High2026-04-07
CVE-2026-35519 Pi-hole FTL affected by Remote Code Execution (RCE) via dns.hostRecord Newline Injection — FTLCWE-78 8.8 High2026-04-07
CVE-2026-35518 Pi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection — FTLCWE-78 8.8 High2026-04-07
CVE-2026-35517 Pi-hole FTL affected by Remote Code Execution (RCE) via dns.upstreams Newline Injection — FTLCWE-78 8.8 High2026-04-07
CVE-2026-35491 Pi-hole FTL: CLI API sessions can import Teleporter archives and modify configuration — FTLCWE-863 6.1 Medium2026-04-07
CVE-2026-33405 Pi-hole has a Stored HTML Injection in queries.js — webCWE-79 3.1 Low2026-04-06
CVE-2026-33727 Pi-hole has a Local Privilege Escalation (post-compromise, pihole -> root). — pi-holeCWE-269 6.4 Medium2026-04-06
CVE-2026-33406 Pi-hole has a Stored HTML attribute injection — webCWE-79 5.4 Medium2026-04-06
CVE-2026-33404 Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard — webCWE-79 3.4 Low2026-04-06
CVE-2026-33403 Pi-hole has a Reflected XSS / HTML injection in taillog.js — webCWE-79 6.1 Medium2026-04-06
CVE-2026-33765 Pi-hole Web Interface has a Command Injection Vulnerability — webCWE-78 9.8 -2026-03-27
CVE-2026-26953 Pi-hole Web Interface has Stored HTML Injection via X-Forwarded-For Header in Active Sessions Table — webCWE-20 5.4 Medium2026-02-19
CVE-2026-26952 Pi-hole Web Interface has Stored HTML Injection via Local DNS Records (CNAME/Hosts) in data-tag Attribute — webCWE-20 5.4 Medium2026-02-19
CVE-2025-59151 Pi-hole Admin Interface vulnerable to HTTP response header injection via CRLF injection — webCWE-93 8.2 High2025-10-27
CVE-2025-53533 Pi-hole Admin Interface vulnerable to cross-site scripting via malformed URL path on 404 error page — webCWE-79 6.1AIMediumAI2025-10-27
CVE-2025-32785 Pi-hole Admin Interface vulnerable to persistent XSS on Subscribed lists group management (Adress Field) — webCWE-79 5.4AIMediumAI2025-10-27
CVE-2024-34361 Pi-hole Blind Server-Side Request Forgery (SSRF) vulnerability can lead to Remote Code Execution (RCE) — pi-holeCWE-918 8.6 High2024-07-05
CVE-2024-28247 Pihole Authenticated Arbitrary File Read with root privileges — pi-holeCWE-200 7.6 High2024-03-27
CVE-2023-23614 Improper session handling of "Remember me for 7 days" functionality — AdminLTECWE-613 8.8 High2023-01-26
CVE-2022-23513 Pi-Hole/AdminLTE vulnerable due to improper access control in queryads endpoint — AdminLTECWE-284 5.3 Medium2022-12-22
CVE-2022-31029 Authenticated XSS in Pi-hole AdminLTE — AdminLTECWE-79 5.9 Medium2022-07-07
CVE-2021-41175 Stored XSS in Client Groups Management (Authenticated) — AdminLTECWE-79 7.3 High2021-10-26
CVE-2021-3812 Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte — pi-hole/adminlteCWE-79 6.1 -2021-09-17
CVE-2021-3811 Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte — pi-hole/adminlteCWE-79 6.1 -2021-09-17
CVE-2021-3706 Sensitive Cookie Without 'HttpOnly' Flag in pi-hole/adminlte — pi-hole/adminlteCWE-1004 7.5 -2021-09-15
CVE-2021-32793 Stored XSS Vulnerability in the Pi-hole Webinterface — AdminLTECWE-79 5.7 Medium2021-08-04
CVE-2021-32706 (Authenticated) Remote Code Execution Possible in Web Interface 5.5 — AdminLTECWE-94 7.6 High2021-08-04
CVE-2021-29448 Stored DOM XSS in Pi-hole Admin Web Interface — AdminLTECWE-79 7.6 High2021-04-15

This page lists every published CVE security advisory associated with pi-hole. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.