SB20260408107 - Server-Side Request Forgery (SSRF) in Pi-hole
Published: April 8, 2026
Security Bulletin ID
SB20260408107
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-34361)
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to server-side request forgery in the gravity_DownloadBlocklistFromUrl() function when downloading blocklists from user-supplied URLs. A remote user can send a specially crafted URL using supported protocols to execute arbitrary code.
Exploitation depends on certain circumstances, including the presence of reachable internal services that can be abused through supported protocols such as gopher://.
Remediation
Install update from vendor's website.