CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-34087 – Pi-Hole AdminLTE Whitelist (now 'Web Allowlist') Remote Command Execution
https://notcve.org/view.php?id=CVE-2025-34087
03 Jul 2025 — An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user. This behavior was present in the legacy AdminLTE interface and has since been patched in later versions. Existe una vulnerabilidad de inyec... • https://github.com/pi-hole/web/releases/tag/v4.0 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.5EPSS: 12%CPEs: 1EXPL: 1CVE-2024-34361 – Pi-hole Blind Server-Side Request Forgery (SSRF) vulnerability can lead to Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2024-34361
05 Jul 2024 — Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. A vulnerability in versions prior to 5.18.3 allows an authenticated user to make internal requests to the server via the `gravity_DownloadBlocklistFromUrl()` function. Depending on some circumstances, the vulnerability could lead to remote command execution. Version 5.18.3 contains a patch for this issue. Pi-hole es un sumidero de DNS que protege los dispositivos de contenido no deseado sin ins... • https://github.com/T0X1Cx/CVE-2024-34361-PiHole-SSRF-to-RCE • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.6EPSS: 5%CPEs: 1EXPL: 1CVE-2024-28247 – Pihole Authenticated Arbitrary File Read with root privileges
https://notcve.org/view.php?id=CVE-2024-28247
27 Mar 2024 — The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software. A vulnerability has been discovered in Pihole that allows an authenticated user on the platform to read internal server files arbitrarily, and because the application runs from behind, reading files is done as a privileged user.If the URL that is in the list of "Adslists" begins with "file*" it is understood that it is updating from a local file, on the other hand if it does not begin ... • https://github.com/T0X1Cx/CVE-2024-28247-Pi-hole-Arbitrary-File-Read • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-269: Improper Privilege Management •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23614 – Improper session handling of "Remember me for 7 days" functionality
https://notcve.org/view.php?id=CVE-2023-23614
26 Jan 2023 — Pi-hole®'s Web interface (based off of AdminLTE) provides a central location to manage your Pi-hole. Versions 4.0 and above, prior to 5.18.3 are vulnerable to Insufficient Session Expiration. Improper use of admin WEBPASSWORD hash as "Remember me for 7 days" cookie value makes it possible for an attacker to "pass the hash" to login or reuse a theoretically expired "remember me" cookie. It also exposes the hash over the network and stores it unnecessarily in the browser. The cookie itself is set to expire af... • https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-33w4-xf7m-f82m • CWE-613: Insufficient Session Expiration CWE-836: Use of Password Hash Instead of Password for Authentication •
CVSS: 5.3EPSS: 6%CPEs: 1EXPL: 3CVE-2022-23513 – Pi-Hole/AdminLTE vulnerable due to improper access control in queryads endpoint
https://notcve.org/view.php?id=CVE-2022-23513
22 Dec 2022 — Pi-Hole is a network-wide ad blocking via your own Linux hardware, AdminLTE is a Pi-hole Dashboard for stats and more. In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on `queryads` endpoint. In the case of application, this vulnerability exists because of a lack of validation in code on a root server path: `/admin/scripts/pi-hole/phpqueryads.php.` Potential threat actor(s) are able to perform an unauthorized query search in blocked domain l... • https://packetstorm.news/files/id/174460 • CWE-284: Improper Access Control •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31029 – Authenticated XSS in Pi-hole AdminLTE
https://notcve.org/view.php?id=CVE-2022-31029
07 Jul 2022 — AdminLTE is a Pi-hole Dashboard for stats and configuration. In affected versions inserting code like `<script>alert("XSS")</script>` in the field marked with "Domain to look for" and hitting <kbd>enter</kbd> (or clicking on any of the buttons) will execute the script. The user must be logged in to use this vulnerability. Usually only administrators have login access to pi-hole, minimizing the risks. Users are advised to upgrade. • https://github.com/pi-hole/AdminLTE/commit/b07372bd426ca8111824a0244dc89d07a7243509 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41175 – Stored XSS in Client Groups Management (Authenticated)
https://notcve.org/view.php?id=CVE-2021-41175
26 Oct 2021 — Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8. La interfaz Web de Pi-hole (basada en AdminLTE) proporciona una ubicación central para administrar el propio Pi-hole y revisar las estadísticas generadas por FTLDNS. En versiones anteriores a 5.8, era posible un at... • https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3812 – Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
https://notcve.org/view.php?id=CVE-2021-3812
17 Sep 2021 — adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') adminlte es vulnerable a una Neutralización Inapropiada de Entradas Durante la Generación de Páginas Web ("Cross-site Scripting") • https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3811 – Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte
https://notcve.org/view.php?id=CVE-2021-3811
17 Sep 2021 — adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') adminlte es vulnerable a una Neutralización Inapropiada de la Entrada Durante la Generación de la Página Web ("Cross-site Scripting") • https://github.com/pi-hole/adminlte/commit/f526716de7bb0fd382a64bcbbb33915c926f94bb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-3706 – Sensitive Cookie Without 'HttpOnly' Flag in pi-hole/adminlte
https://notcve.org/view.php?id=CVE-2021-3706
15 Sep 2021 — adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag adminlte es vulnerable a Cookie confidencial sin flag "HttpOnl" • https://github.com/pi-hole/adminlte/commit/cf8602eedd4a31eadb72372fc878c12d342f8600 • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag •