CVE-2025-34087

Name of the Vulnerable Software and Affected Versions: Pi-hole versions up to 3.3

Description: An authenticated command injection issue exists, allowing an attacker to append OS commands to the domain string when adding a domain to the allowlist via the web interface. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user. This behavior was present in the legacy AdminLTE interface.

Recommendations: For versions up to 3.3, update to a version later than 3.3 to patch the vulnerability. As a temporary workaround, consider restricting access to the allowlist feature in the web interface until a patch is applied. Avoid using the domain parameter in the allowlist feature via the web interface until the issue is resolved.