Description
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw resides in the DNS CNAME records configuration parameter (dns.cnameRecords). An attacker who is authenticated to the Pi‑hole FTL API can inject newline characters into this setting, causing arbitrary dnsmasq configuration directives to be written. This leads to command execution on the host operating system, representing a full remote code‑execution vulnerability.

Affected Systems

The issue affects Pi‑hole FTL versions 6.0 through any release before 6.6. The vulnerability is limited to the FTL engine and does not impact other components of Pi‑hole. Updating to FTL 6.6 or later removes the flaw.

Risk and Exploitability

The problem scores an 8.8 on CVSS, indicating high severity, while the EPSS score is unavailable. It is not listed in the CISA KEV catalog, suggesting no known public exploitation yet. The vulnerability can only be triggered by an authenticated user of the FTL API, but once authenticated, the attacker can execute arbitrary system commands via the injected configuration.

Generated by OpenCVE AI on April 7, 2026 at 22:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pi‑hole FTL to version 6.6 or newer.
  • Verify the FTL version after the upgrade.
  • Restrict API access to trusted administrators to reduce the attack surface.
  • Monitor logs for unexpected API activity.

Generated by OpenCVE AI on April 7, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Title Pi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection
Weaknesses CWE-78
CWE-93
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T14:55:05.699Z

Reserved: 2026-04-03T02:15:39.280Z

Link: CVE-2026-35518

cve-icon Vulnrichment

Updated: 2026-04-08T14:54:56.798Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T16:16:28.243

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-35518

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:48:23Z

Weaknesses