Description
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

FTLDNS, the engine that powers Pi‑hole’s DNS and statistics, contains a flaw that allows an authenticated user to inject arbitrary configuration lines into the DHCP hosts file through newline characters. The injected directives are processed by dnsmasq, granting the attacker the ability to execute system commands. This creates a classic command‑execution vector, compromising confidentiality, integrity, and availability of the entire host running Pi‑hole.

Affected Systems

Products affected are the Pi‑hole FTL (FTLDNS) component, specifically versions from 6.0 up to, but not including, 6.6. All installations relying on those firmware releases are susceptible until a higher version is installed.

Risk and Exploitability

The flaw is rated with a CVSS score of 8.8, indicating a high severity level. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is network‑based access through Pi‑hole’s privileged API. An attacker must first authenticate, but once authenticated they can issue the malicious payload that will be interpreted by the underlying system shell.

Generated by OpenCVE AI on April 7, 2026 at 22:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a patch or upgrade to Pi‑hole FTL version 6.6 or newer
  • If upgrade is not immediately possible, restrict network access to the Pi‑hole API to trusted hosts only
  • Verify that no unauthorized DHCP configuration files containing newline characters are present on the system to prevent inadvertent exploitation

Generated by OpenCVE AI on April 7, 2026 at 22:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pi-hole:ftldns:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Pi-hole
Pi-hole ftldns
Vendors & Products Pi-hole
Pi-hole ftldns

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Title Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection
Weaknesses CWE-78
CWE-93
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Pi-hole Ftldns
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T18:21:43.428Z

Reserved: 2026-04-03T02:15:39.281Z

Link: CVE-2026-35521

cve-icon Vulnrichment

Updated: 2026-04-07T18:21:40.463Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T16:16:28.693

Modified: 2026-04-28T20:24:49.443

Link: CVE-2026-35521

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:24:13Z

Weaknesses