The PiHole interacts with DNS servers. Theoretically - imagine a crafted TXT Record which is somehow improperly handled by dnsmasq.

Essentially - it's reading user-defined data - which is probably enough to be really bad, incase of a malicious exploit in the wild.