CVE-2025-34087HIGH 8.8EPSS p91.1%

CVE-2025-34087CVE-2025-34087

Description

An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user. This behavior was present in the legacy AdminLTE interface and has since been patched in later versions.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS4.97% probability of exploitation · percentile 91.1% · 2026-06-19T12:03:05Z
Published2025-07-03
Last modified2025-10-01

Underlying weaknesses· 1

CWE-78

References

  1. https://github.com/pi-hole/web/releases/tag/v4.0
  2. https://pi-hole.net/
  3. https://pulsesecurity.co.nz/advisories/pihole-v3.3-vulns
  4. https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/http/pihole_whitelist_exec.rb
  5. https://vulncheck.com/advisories/pihole-adminlte-whitelist-rce

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33765
CVE
Pi-Hole AdminLTE Remote Code Execution Vulnerability
CVE
CVE-2025-59151
CVE
CVE-2026-35517
CVE
CVE-2026-35519
CVE
CVE-2026-39849
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.