Description
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

An authenticated attacker can inject newline characters into the dns.hostRecord setting of Pi‑hole FTL, causing arbitrary dnsmasq configuration directives to be interpreted and ultimately executing shell commands on the host. This vulnerability is a command‑execution flaw combined with newline injection. If exploited, the attacker can gain full control of the underlying operating system, allowing data modification or destruction.

Affected Systems

Pi‑hole FTL (pihole‑FTL) versions 6.0 through 6.5 are affected. Users running any of these releases are vulnerable until they upgrade to a patched version.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the flaw requires authentication to the API. Once credentials are obtained, the attacker can exploit the newline injection without further conditions. The absence of an EPSS score and the lack of listing in KEV suggest no documented active exploitation, but the combination of high severity and potential for full system compromise makes the risk critical, warranting immediate attention.

Generated by OpenCVE AI on April 7, 2026 at 22:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pi‑hole FTL to version 6.6 or newer.

Generated by OpenCVE AI on April 7, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Title Pi-hole FTL affected by Remote Code Execution (RCE) via dns.hostRecord Newline Injection
Weaknesses CWE-78
CWE-93
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T15:18:27.377Z

Reserved: 2026-04-03T02:15:39.280Z

Link: CVE-2026-35519

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T16:16:28.397

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-35519

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:48:20Z

Weaknesses