Maydaysun

**Name of the Vulnerable Software and Affected Versions** Pi-hole versions prior to 6.0 **Description** The Pi-hole Admin Interface, a web interface for managing the Pi-hole ad and internet tracker blocking application, contains an OS Command Injection issue in the `savesettings.php` file. The application directly incorporates the user-controlled `$ POST['webtheme']` parameter into a system command executed using PHP’s `exec()` function without proper sanitization or validation. This allows an attacker to append and execute arbitrary system commands with elevated (root) privileges through the use of `sudo`. **Recommendations** Update to version 6.0 or later.