Approved changes feed: RSS · Atom
cpe:2.3:a:pi-hole:ftldns:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Pi Hole (525d0520-023b-5ac7-adae-b0bb743ce667) |
|---|---|
| Product | Ftldns (d3b8cbaa-6720-5b32-8da6-d87b00060f96) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/pi-hole/ftl |
purl2cpe | 2026-06-01 10:10:56.970739 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-35521 |
vulnerable | 2026-06-08 07:59:14.073773 |
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:20:26.583Z
Updated: 2026-04-07T18:21:43.428Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-35520 |
vulnerable | 2026-06-08 07:59:14.073429 |
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.leaseTime Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:19:21.875Z
Updated: 2026-04-09T14:35:45.884Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-35519 |
vulnerable | 2026-06-08 07:59:14.072926 |
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.hostRecord Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:18:27.377Z
Updated: 2026-04-09T16:19:08.569Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-35518 |
vulnerable | 2026-06-08 07:59:14.072683 |
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:17:39.977Z
Updated: 2026-04-08T14:55:05.699Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-35517 |
vulnerable | 2026-06-08 07:59:14.072433 |
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.upstreams Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:16:02.955Z
Updated: 2026-04-07T18:19:50.497Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-35491 |
vulnerable | 2026-06-08 07:59:14.056465 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.