CVE-2026-33765

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33765
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33765.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33765
Aliases
  • GHSA-828h-5x96-rqx7
Published
2026-03-27T19:46:57.679Z
Modified
2026-04-10T05:42:56.536170Z
Severity
  • 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Pi-hole Web Interface has a Command Injection Vulnerability
Details

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled $_POST['webtheme'] parameter and concatenates it directly into a system command executed via PHP's exec() function. Since the input is neither sanitized nor validated before being passed to the shell, an attacker can append arbitrary system commands to the intended pihole command. Furthermore, because the command is executed with sudo privileges, the injected commands will run with elevated (likely root) privileges. Version 6.0 patches the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33765.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/pi-hole/web

Affected ranges

Type
GIT
Repo
https://github.com/pi-hole/web
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
a66d859aecb427faad6adfce144fd97fbeb26a13
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.0"
        }
    ]
}

Affected versions

0.*
0.1
1.*
1.0
1.1
1.2
1.2.1
2.*
2.0.0
2.1.0
2.1.1
v1.*
v1.0.0
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.2
v1.3
v1.4
v1.4.1
v1.4.2
v1.4.3
v1.4.3.1
v1.4.3.1a
v1.4.4
v1.4.4.1
v1.4.4.2
v2.*
v2.0
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.5
v2.1
v2.1.0-alpha-1
v2.1.0-beta
v2.1.2
v2.2
v2.2.0
v2.3
v2.3.1
v2.4
v2.5
v2.5.1
v2.5.2
v3.*
v3.0
v3.0.1
v3.0.1a
v3.1
v3.2
v3.2.1
v3.3
v4.*
v4.0
v4.1
v4.1.1
v4.2
v4.3
v4.3.2
v4.3.3
v5.*
v5.0
v5.1
v5.1.1
v5.10
v5.10.1
v5.11
v5.12
v5.13
v5.14
v5.14.1
v5.14.2
v5.15
v5.15.1
v5.16
v5.17
v5.18
v5.18.1
v5.18.2
v5.18.3
v5.18.4
v5.19
v5.2
v5.2.1
v5.2.2
v5.20
v5.20.1
v5.20.2
v5.21
v5.3
v5.3.1
v5.3.2
v5.4
v5.5
v5.5.1
v5.6
v5.7
v5.8
v5.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33765.json"