Pi-Hole Web Interface vulnerabilities
16 known vulnerabilities affecting pi-hole/web_interface.
Total CVEs
16
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH4MEDIUM11
Vulnerabilities
Page 1 of 1
CVE-2026-33765P2CRITICALCVSS 9.8fixed in 6.02026-03-27
CVE-2026-33765 [CRITICAL] CWE-78 CVE-2026-33765: Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tra
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled $_POST['webtheme'] parameter and concatenates it directly into a system comman
nvd
CVE-2025-53533P3MEDIUMCVSS 6.1PoCfixed in 6.32025-10-27
CVE-2025-53533 [MEDIUM] CWE-79 CVE-2025-53533: Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and i
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions 6.2.1 and earlier are vulnerable to reflected cross-site scripting (XSS) via a malformed URL path. The 404 error page includes the requested path in the class attribute of the body
nvd
CVE-2023-23614P3HIGHCVSS 8.8≥ 4.0, < 5.18.32023-01-26
CVE-2023-23614 [HIGH] CWE-613 CVE-2023-23614: Pi-hole®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole.
Pi-hole®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value makes it possible for an attacker to "pass the hash" to login or reuse a theoreti
nvd
CVE-2025-59151P3HIGHCVSS 8.2fixed in 6.32025-10-27
CVE-2025-59151 [HIGH] CWE-93 CVE-2025-59151: Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and i
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface before 6.3 is vulnerable to Carriage Return Line Feed (CRLF) injection. When a request is made to a file ending with the .lp extension, the application performs a redirect without properly san
nvd
CVE-2021-29448P3HIGHCVSS 8.8fixed in 5.52021-04-15
CVE-2021-29448 [HIGH] CWE-79 CVE-2021-29448: Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details.
nvd
CVE-2021-3706P3HIGHCVSS 7.5fixed in 5.62021-09-15
CVE-2021-3706 [HIGH] CWE-1004 CVE-2021-3706: adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag
adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag
nvd
CVE-2026-26953P4MEDIUMCVSS 5.4≥ 6.0, < 6.4.12026-02-19
CVE-2026-26953 [MEDIUM] CWE-20 CVE-2026-26953: Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tra
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentials to inject arbitrary HTML code that will be rendered
nvd
CVE-2026-33406P4MEDIUMCVSS 6.1≥ 6.0, ≤ 6.4.12026-04-06
CVE-2026-33406 [MEDIUM] CWE-79 CVE-2026-33406: Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tra
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any c
nvd
CVE-2026-33403P4MEDIUMCVSS 6.1≥ 6.0, ≤ 6.4.12026-04-06
CVE-2026-33403 [MEDIUM] CWE-79 CVE-2026-33403: Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tra
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter
nvd
CVE-2026-33404P4MEDIUMCVSS 6.1≥ 6.0, ≤ 6.4.12026-04-06
CVE-2026-33404 [MEDIUM] CWE-79 CVE-2026-33404: Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tra
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validat
nvd
CVE-2026-26952P4MEDIUMCVSS 5.4fixed in 6.4.12026-02-19
CVE-2026-26952 [MEDIUM] CWE-20 CVE-2026-26952: Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tra
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through the local DNS records configuration page, which allows an authenticated administrator to inject code that is stored in the Pi-hole configuration and rende
nvd
CVE-2025-32785P4MEDIUMCVSS 5.4fixed in 6.32025-10-27
CVE-2025-32785 [MEDIUM] CWE-79 CVE-2025-32785: Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and i
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface versions prior to 6.3 are vulnerable to cross-site scripting (XSS) via the Address field in the Subscribed Lists group management section. An authenticated user can inject malicious JavaScri
nvd
CVE-2021-41175P4MEDIUMCVSS 5.4fixed in 5.82021-10-26
CVE-2021-41175 [MEDIUM] CWE-79 CVE-2021-41175: Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and
Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8.
nvd
CVE-2021-3812P4MEDIUMCVSS 6.1fixed in 5.62021-09-17
CVE-2021-3812 [MEDIUM] CWE-79 CVE-2021-3812: adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site S
adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
nvd
CVE-2021-3811P4MEDIUMCVSS 6.1fixed in 5.62021-09-17
CVE-2021-3811 [MEDIUM] CWE-79 CVE-2021-3811: adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site S
adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
nvd
CVE-2026-33405P4MEDIUMCVSS 4.8≥ 6.0, ≤ 6.4.12026-04-06
CVE-2026-33405 [MEDIUM] CWE-79 CVE-2026-33405: Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tra
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML inject
nvd