anonhaven
Ad

CVE-2025-59151

HIGH CVSS 3.1: 8.2 EPSS 0.11%
Updated Dec 18, 2025
Pi-Hole
Parameter Value
CVSS 8.2 (HIGH)
Affected Versions before 6.3
Fixed In 6.3
Type CWE-93, CWE-113
Vendor Pi-Hole
Public PoC No

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level advertisement and internet tracker blocking application. Pi-hole Admin Interface before 6.3 is vulnerable to Carriage Return Line Feed (CRLF) injection. When a request is made to a file ending with the .lp extension, the application performs a redirect without properly sanitizing the input.

An attacker can inject carriage return and line feed characters (%0d%0a) to manipulate both the headers and the content of the HTTP response. This enables the injection of arbitrary HTTP response headers, potentially leading to session fixation, cache poisoning, and the weakening or bypassing of browser-based security mechanisms such as Content Security Policy or X-XSS-Protection. This vulnerability is fixed in 6.3.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
Low
Partial disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-93
CWE-113

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Pi-Hole Web_Interface
cpe:2.3:a:pi-hole:web_interface:*:*:*:*:*:*:*:*
 6.3

References 1

https://github.com/pi-hole/web/security/advisories/GHSA-5v79-p56f-x7c4
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-35491

Pi-Hole

6.1

CVE-2026-33727

Pi-Hole

6.7

CVE-2026-33405

Pi-Hole

4.8

CVE-2026-33403

Pi-Hole

6.1

CVE-2026-33765

PHP

8.9