SB20260408107 - Server-Side Request Forgery (SSRF) in Pi-hole



SB20260408107 - Server-Side Request Forgery (SSRF) in Pi-hole

Published: April 8, 2026

Security Bulletin ID SB20260408107
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-34361)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to server-side request forgery in the gravity_DownloadBlocklistFromUrl() function when downloading blocklists from user-supplied URLs. A remote user can send a specially crafted URL using supported protocols to execute arbitrary code.

Exploitation depends on certain circumstances, including the presence of reachable internal services that can be abused through supported protocols such as gopher://.


Remediation

Install update from vendor's website.