CVE-2021-32706
HIGHPi-hole Web interface <5.5.1 - Code Injection
Title source: llmDescription
Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the `validDomainWildcard` preg_match filter allows a malicious character through that can be used to execute code, list directories, and overwrite sensitive files. The issue lies in the fact that one of the periods is not escaped, allowing any character to be used in its place. A patch for this vulnerability was released in version 5.5.1.
Exploits (1)
metasploit
WORKING POC
by h00die, SchneiderSec · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/pihole_domains_api_exec.rb
Scores
CVSS v3
7.6
EPSS
0.6105
EPSS Percentile
98.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Classification
CWE
CWE-94
Status
published
Affected Products (1)
pi-hole/pi-hole
< 5.5.1
Timeline
Published
Aug 04, 2021
Tracked Since
Feb 18, 2026