PI‑hole FTL (pihole‑FTL) includes a remote code execution vulnerability that arises when the DHCP lease time setting, dhcp.leaseTime, accepts newline characters that are then interpreted as dnsmasq configuration directives. By exploiting this flaw, an attacker who is authenticated and has the ability to modify the lease time can inject arbitrary commands that execute on the host operating system, leading to full system compromise. The weakness stems from improper handling of newline characters in configuration input, corresponding to CWE‑78 and CWE‑93. The vulnerability is present in FTL releases from version 6.0 up to, but not including, version 6.6.

The affected product is PI‑hole FTL, the DNS forwarding and blocking engine used by the Pi‑hole network advertising platform. Anyone running PI‑hole FTL versions 6.0 through 6.5, inclusive, is potentially vulnerable. The vulnerability is fixed in release 6.6, so any installation of that version or later is immune.

The CVSS score for this issue is 8.8, indicating high severity. Because the exploit requires authenticated access to modify DHCP settings or the API, the attacker's success depends on prior compromise or privileged access to the PI‑hole management interface. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that large‑scale, publicly known exploitation has not yet been documented. Nonetheless, the potential for catastrophic system compromise warrants serious attention and prompt remediation.