OS Command Injection Vulnerability in Pi-hole Admin Interface by Pi-hole
CVE-2026-33765

8.9HIGH

Key Information:

Vendor: Pi-hole
Status: Web
Vendor: CVE Published:; 27 March 2026

What is CVE-2026-33765?

The Pi-hole Admin Interface, utilized for managing the Pi-hole ad and internet tracker blocking application, presents an OS Command Injection vulnerability that affects versions prior to 6.0. This security flaw stems from how the application processes the unvalidated and unsanitized user input from the $_POST['webtheme'] parameter in the savesettings.php file. By directly concatenating this input into system commands executed via PHP's exec() function, an attacker can inject arbitrary system commands. These injected commands are executed with elevated privileges, increasing the risk and potential impact of unauthorized access and control over the affected system. Version 6.0 has addressed and patched this vulnerability.

Affected Version(s)

web < 6.0

References

https://github.com/pi-hole/web/security/advisories/GHSA-8...

x_refsource_CONFIRM

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33765 Data

JSON