Approved changes feed: RSS · Atom

cpe:2.3:a:pi-hole:ftldns:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorPi Hole (525d0520-023b-5ac7-adae-b0bb743ce667)
ProductFtldns (d3b8cbaa-6720-5b32-8da6-d87b00060f96)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/pi-hole/ftl purl2cpe 2026-06-01 10:10:56.970739

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-35521 vulnerable 2026-06-08 07:59:14.073773 Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:20:26.583Z
Updated: 2026-04-07T18:21:43.428Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-35520 vulnerable 2026-06-08 07:59:14.073429 Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.leaseTime Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:19:21.875Z
Updated: 2026-04-09T14:35:45.884Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-35519 vulnerable 2026-06-08 07:59:14.072926 Pi-hole FTL affected by Remote Code Execution (RCE) via dns.hostRecord Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:18:27.377Z
Updated: 2026-04-09T16:19:08.569Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-35518 vulnerable 2026-06-08 07:59:14.072683 Pi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:17:39.977Z
Updated: 2026-04-08T14:55:05.699Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-35517 vulnerable 2026-06-08 07:59:14.072433 Pi-hole FTL affected by Remote Code Execution (RCE) via dns.upstreams Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:16:02.955Z
Updated: 2026-04-07T18:19:50.497Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-35491 vulnerable 2026-06-08 07:59:14.056465 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.