CVE-2026-33727

EUVD-2026-19291

06.04.2026, 16:16

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.4 MEDIUM	LOCAL	HIGH	HIGH	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Vulnerability Media Exposure

[GERMAN] Schadcode-Sicherheitslücken in Werbeblocker Pi-hole geschlossen
Es sind wichtige Updates für den Open-Source-Werblocker Pi-hole erschienen. Unter anderem kann Schadcode auf Systeme gelangen.
Published: 2026-04-06T11:09:00+00:00

References

https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74