Description
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

FTLDNS, the DNS engine that powers Pi‑hole, has a flaw in how it processes the dns.upstreams configuration setting. An attacker who can authenticate to the Pi‑hole API or configuration interface can inject newline characters into this parameter. The engine then appends arbitrary dnsmasq configuration directives to its internal file, and because dnsmasq executes those directives the attacker can run shell commands on the host system, effectively taking control of the machine hosting Pi‑hole.

Affected Systems

Versions of pi‑hole FTL from 6.0 up to, but not including, 6.6 are affected. The vulnerability was addressed in release 6.6, so any installation that is still on an earlier version remains vulnerable.

Risk and Exploitability

The CVSS score of 8.8 places this flaw in the high severity range. No EPSS score is available and the vulnerability does not appear in the CISA Known Exploited Vulnerabilities catalog. The attack requires authenticated access to the Pi‑hole configuration, but once the newline injection is performed, the attacker can execute arbitrary commands without further interaction, making the omission easy to leverage against any privileged user.

Generated by OpenCVE AI on April 7, 2026 at 22:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pi‑hole FTL to version 6.6 or later

Generated by OpenCVE AI on April 7, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pi-hole:ftldns:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Pi-hole
Pi-hole ftldns
Vendors & Products Pi-hole
Pi-hole ftldns

Thu, 09 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Title Pi-hole FTL affected by Remote Code Execution (RCE) via dns.upstreams Newline Injection
Weaknesses CWE-78
CWE-93
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Pi-hole Ftldns
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T18:19:50.497Z

Reserved: 2026-04-03T02:15:39.280Z

Link: CVE-2026-35517

cve-icon Vulnrichment

Updated: 2026-04-07T18:19:46.559Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T16:16:28.093

Modified: 2026-04-28T20:36:11.187

Link: CVE-2026-35517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:24:17Z

Weaknesses