Description
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled $_POST['webtheme'] parameter and concatenates it directly into a system command executed via PHP's exec() function. Since the input is neither sanitized nor validated before being passed to the shell, an attacker can append arbitrary system commands to the intended pihole command. Furthermore, because the command is executed with sudo privileges, the injected commands will run with elevated (likely root) privileges. Version 6.0 patches the issue.
Published: 2026-03-27
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution with Root Privileges
Action: Immediate Patch
AI Analysis

Impact

The Pi‑hole Admin Interface contains a flaw in savesettings.php that allows an attacker to control the $_POST['webtheme'] parameter. That value is concatenated directly into a shell command executed by PHP’s exec() function. Because no sanitization or validation occurs, an attacker can inject arbitrary commands, and since the command runs under sudo, the injected code executes with root privileges. This can lead to full compromise of the host, including data theft, changes to network configuration, or persistence.

Affected Systems

All Pi‑hole deployments running the web interface version earlier than 6.0 are affected. Owners and administrators should verify the installed package version; any installation that has not been upgraded to 6.0 or later carries the risk.

Risk and Exploitability

The CVSS score of 8.9 indicates a high severity vulnerability. The EPSS score is reported as less than 1 percent, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widely publicized exploits yet. Nevertheless, the attack vector is a crafted HTTP POST request to the settings endpoint, which does not require any user interaction with rendered content. Successful exploitation would provide the attacker with root-level access to the system, enabling complete takeover and potential lateral movement.

Generated by OpenCVE AI on April 7, 2026 at 22:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pi‑hole to version 6.0 or newer as the issue is fixed in that release.
  • Restrict access to the Admin Interface to trusted networks or authenticated clients if an upgrade cannot be performed immediately.
  • Monitor incoming POST requests to the /savesettings.php endpoint and validate the 'webtheme' parameter against a whitelist.
  • Audit sudo logs for unexpected activity and review system configuration changes.
  • Apply any subsequent security patches released by Pi‑hole promptly.

Generated by OpenCVE AI on April 7, 2026 at 22:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Pi-hole web Interface
CPEs cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*
Vendors & Products Pi-hole web Interface
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 02 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Pi-hole
Pi-hole web
Vendors & Products Pi-hole
Pi-hole web

Fri, 27 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled $_POST['webtheme'] parameter and concatenates it directly into a system command executed via PHP's exec() function. Since the input is neither sanitized nor validated before being passed to the shell, an attacker can append arbitrary system commands to the intended pihole command. Furthermore, because the command is executed with sudo privileges, the injected commands will run with elevated (likely root) privileges. Version 6.0 patches the issue.
Title Pi-hole Web Interface has a Command Injection Vulnerability
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Pi-hole Web Web Interface
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T13:04:40.898Z

Reserved: 2026-03-23T18:30:14.126Z

Link: CVE-2026-33765

cve-icon Vulnrichment

Updated: 2026-03-31T13:52:44.122Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T20:16:34.053

Modified: 2026-04-07T18:15:39.670

Link: CVE-2026-33765

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:04Z

Weaknesses