cvedb.io
CVE-2026-33765
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2026-03-27T20:16:34.053 · Last modified 2026-06-17T10:38:03.580

Summary

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled $_POST['webtheme'] parameter and concatenates it directly into a system command executed via PHP's exec() function. Since the input is neither sanitized nor validated before being passed to the shell, an attacker can append arbitrary system commands to the intended pihole command. Furthermore, because the command is executed with sudo privileges, the injected commands will run with elevated (likely root) privileges. Version 6.0 patches the issue.

Affected products

pi-hole — web_interface

Does this affect you?

Add your gear to cvedb and we'll alert you only when pi-hole ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.