Pi-hole
Pi-hole
See the latest tracked release, confirm when it was published, and subscribe for update emails.
6.4.2
- Release date
- April 24, 2026
- Security status
- 1 high-severity CVE tracked in the last 90 days. Current version not affected.
Source
GitHub API
Public release notes are linked for the latest stored release.
Release history
See the latest published releases stored for this product.
| Version | Published | Notes |
|---|---|---|
| 6.4.2 | 2026-04-24 | Release Notes |
Vulnerability tracking
versionPing monitors CVEs for this product. Matching CVEs are listed below. We only display CVEs with a CVSS score of 7.0 or higher that were published within the last 90 days.
Affected status is inferred from published affected version ranges where available. Always verify against the vendor advisory before making production decisions.
| CVE | Severity | Published | Status | Summary |
|---|---|---|---|---|
| CVE-2026-41489 | HIGH (8.8) | 2026-05-11 | Current versionnot affected | Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1. Affected versions
|