CVE-2026-33765
Critical OS Command Injection in Pi-hole Admin Interface Before
Publication date: 2026-03-27
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pi-hole | web_interface | to 6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33765 is a critical OS Command Injection vulnerability in the Pi-hole Admin Interface versions prior to 6.0, specifically in the savesettings.php file.
The vulnerability occurs because the application takes the user-controlled $_POST['webtheme'] parameter and directly concatenates it into a system command executed via PHP's exec() function without any input sanitization or validation.
This allows an attacker to append arbitrary system commands to the intended Pi-hole command, which are then executed with sudo privileges, meaning the injected commands run with elevated (likely root) privileges.
For example, an attacker could set webtheme=default; id > /tmp/hacked.txt to execute the id command and write its output to a file.
This vulnerability corresponds to CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').
The issue was patched in Pi-hole version 6.0.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an attacker to execute arbitrary system commands on the affected system with elevated (likely root) privileges.
An attacker could leverage this to take full control of the system running Pi-hole, potentially leading to data theft, system compromise, installation of malware, or disruption of network services.
Since the commands run with sudo privileges, the attacker bypasses normal security restrictions, increasing the risk and potential damage.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Pi-hole Web Interface version is prior to 6.0, as versions up to v5.21 are affected.
Additionally, you can look for evidence of command injection by searching for unusual files or outputs created by injected commands. For example, a proof of concept uses the payload `webtheme=default; id > /tmp/hacked.txt` which executes the `id` command and writes its output to `/tmp/hacked.txt`.
Suggested commands to detect exploitation attempts or presence of injected commands include:
- Check Pi-hole version: `pihole -v` or check the web interface version.
- Look for suspicious files created by command injection, e.g., `cat /tmp/hacked.txt`.
- Monitor web server logs for suspicious POST requests to `savesettings.php` containing unusual characters or command delimiters like `;`.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Pi-hole Web Interface to version 6.0 or later, where this vulnerability has been patched.
Until the upgrade can be performed, restrict access to the Pi-hole Admin Interface to trusted users only, to reduce the risk of exploitation.
Additionally, monitor the system for any signs of compromise, such as unexpected files or commands executed with elevated privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.