CVE-2026-50130
Received
Received - Intake
BaseFortify
Vulnerability report for CVE-2026-50130, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-14
Last updated on: 2026-07-14
Assigner: GitHub, Inc.
Description
Description
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to 6.4.2, a user with code execution as the unprivileged pihole user can escalate to root by replacing /etc/pihole/logrotate. The replacement is laundered to root:root ownership by pihole-FTL-prestart.sh and then parsed as root by the daily pihole flush cron, executing firstaction shell as uid 0. This issue is fixed in version 6.4.3.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pi-hole | pi-hole | to 6.4.2 (inc) |
| pi-hole | pi-hole | 6.4.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-282 | The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource. |