{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33727", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.560Z", "datePublished": "2026-04-06T15:02:19.693Z", "dateUpdated": "2026-04-07T13:06:34.177Z"}, "containers": {"cna": {"title": "Pi-hole has a Local Privilege Escalation (post-compromise, pihole -> root).", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74"}], "affected": [{"vendor": "pi-hole", "product": "pi-hole", "versions": [{"version": ">= 6.4, < 6.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T15:02:19.693Z"}, "descriptions": [{"lang": "en", "value": "Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1."}], "source": {"advisory": "GHSA-c935-8g63-qp74", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T03:56:01.049919Z", "id": "CVE-2026-33727", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T13:06:34.177Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Pi-hole has a Local Privilege Escalation (post-compromise, pihole -> root).", "source": {"advisory": "GHSA-c935-8g63-qp74", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pi-hole", "product": "pi-hole", "versions": [{"status": "affected", "version": ">= 6.4, < 6.4.1"}]}], "references": [{"url": "https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74", "name": "https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T15:02:19.693Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33727", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T03:56:01.049919Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-07T13:06:31.281Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33727", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:02:19.693Z", "dateReserved": "2026-03-23T17:34:57.560Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T15:02:19.693Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pi-hole:pi-hole:6.4:*:*:*:*:*:*:*", "matchCriteriaId": "3E760B4F-996F-4B2D-9E52-C0E656775168", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1."}], "id": "CVE-2026-33727", "lastModified": "2026-04-09T18:18:28.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-06T16:16:33.987", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.4,6.4.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pi-hole", "source": "cna", "vendor": "pi-hole"}, "product": "pi-hole", "vendor": "pi-hole"}], "analysis": {"en": {"generated_at": "2026-04-09T19:26:11.368470+00:00", "value": {"mitigation_remediation": ["Upgrade to Pi\u2011hole 6.4.1 or later", "Verify that the Pi\u2011hole service runs under the pihole user and limit write permission to /etc/pihole/versions", "Audit /etc/pihole/versions for unauthorized entries", "Restart Pi\u2011hole after updates to ensure changes take effect"], "summary": {"action": "Immediate Patch", "impact": "Local Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Pi\u2011hole deployments running version 6.4 are affected. The issue is specific to the official Pi\u2011hole package, and any system using that package and not yet updated to 6.4.1 will remain vulnerable.", "description_and_impact": "A flaw in Pi\u2011hole version 6.4 permits a compromise of the low\u2011privilege pihole account to lead to code execution as root. The vulnerability arises because root\u2011run Pi\u2011hole scripts read attacker\u2011controlled entries from /etc/pihole/versions, which allows arbitrary code to be run with root privileges. This grants complete control over the host, including data theft, persistence, or further lateral movement.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity. The EPSS score is below 1%, suggesting low current exploitation likelihood, and the vulnerability is not in CISA\u2019s Known Exploited Vulnerabilities catalog. However, the attack requires that an attacker already has the pihole user\u2019s capabilities to be able to modify or inject files into /etc/pihole/versions, after which the vulnerability is trivially exploitable with root\u2011level impact. The attack vector is post\u2011compromise local, with no need for external network exposure."}}}}, "created": "2026-04-06T20:14:16.258777+00:00", "updated": "2026-04-10T09:45:14.390824+00:00", "vendors": ["pi-hole", "pi-hole$PRODUCT$pi-hole"]}