Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled $_POST['webtheme'] parameter and concatenates it directly into a system command executed via PHP's exec() function. Since the input is neither sanitized nor validated before being passed to the shell, an attacker can append arbitrary system commands to the intended pihole command. Furthermore, because the command is executed with sudo privileges, the injected commands will run with elevated (likely root) privileges. Version 6.0 patches the issue.
Published: 2026-03-27
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

The Pi‑hole administration page accepts a user‑controlled "webtheme" value and passes it directly to the shell via PHP’s exec function. Because the input is not sanitized or validated, an attacker can inject arbitrary commands. Executed under sudo privileges, these commands run as root, allowing an attacker to gain full control of the host.

Affected Systems

All installations of Pi‑hole’s web interface running versions older than 6.0 are affected. Files before this release contain the vulnerable savesettings.php logic, placing exposed systems at risk when the interface is reachable over a network.

Risk and Exploitability

The CVSS score of 8.9 reflects a high‑severity vulnerability. While an EPSS score is not available and the flaw is not catalogued in the CISA KEV list, the straightforward web‑based exploitation path means that an attacker with network access can readily trigger the injection using the theme submission form. Successful exploitation results in arbitrary root‑level command execution and full system compromise.

Generated by OpenCVE AI on March 27, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Pi‑hole to version 6.0 or later
  • Limit web interface access to trusted networks or block it from the public internet
  • Apply network firewall rules to restrict reachability to the Pi‑hole management port

Generated by OpenCVE AI on March 27, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Pi-hole
Pi-hole web
Vendors & Products Pi-hole
Pi-hole web

Fri, 27 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled $_POST['webtheme'] parameter and concatenates it directly into a system command executed via PHP's exec() function. Since the input is neither sanitized nor validated before being passed to the shell, an attacker can append arbitrary system commands to the intended pihole command. Furthermore, because the command is executed with sudo privileges, the injected commands will run with elevated (likely root) privileges. Version 6.0 patches the issue.
Title Pi-hole Web Interface has a Command Injection Vulnerability
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Pi-hole Web
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:46:57.679Z

Reserved: 2026-03-23T18:30:14.126Z

Link: CVE-2026-33765

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T20:16:34.053

Modified: 2026-03-30T13:26:29.793

Link: CVE-2026-33765

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:00:35Z

Weaknesses