CVE-2026-33765

Name of the Vulnerable Software and Affected Versions Pi-hole versions prior to 6.0

Description The Pi-hole Admin Interface, a web interface for managing the Pi-hole ad and internet tracker blocking application, contains an OS Command Injection issue in the savesettings.php file. The application directly incorporates the user-controlled $ POST['webtheme'] parameter into a system command executed using PHP’s exec() function without proper sanitization or validation. This allows an attacker to append and execute arbitrary system commands with elevated (root) privileges through the use of sudo.

Recommendations Update to version 6.0 or later.