Approved changes feed: RSS · Atom

cpe:2.3:a:pi-hole:ftl:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorPi Hole (525d0520-023b-5ac7-adae-b0bb743ce667)
ProductFtl (9a2cde78-f94f-5fbf-a1b1-9eb6d5ee4aa5)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-39849 vulnerable 2026-06-08 08:01:17.103942 Pi-hole FTL remote code execution via newline injection in dns.interface configuration
Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set (the default for many deployments), the configuration API is fully accessible without credentials, allowing a network-adjacent attacker to inject the payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and survives restarts. The strncpy in the code path limits the total interface field to 31 bytes, but payloads such as wlan0\ndhcp-script=/tmp/p fit within this constraint. The dnsmasq config validation introduced in FTL 6.6 only checks syntactic validity, so valid directives injected via newline pass validation successfully. This issue has been fixed in version 6.6.1.
Published: 2026-05-05T20:50:26.021Z
Updated: 2026-05-08T14:12:44.566Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-35521 vulnerable 2026-06-08 07:59:14.073640 Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:20:26.583Z
Updated: 2026-04-07T18:21:43.428Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-35520 vulnerable 2026-06-08 07:59:14.073252 Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.leaseTime Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:19:21.875Z
Updated: 2026-04-09T14:35:45.884Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-35519 vulnerable 2026-06-08 07:59:14.072897 Pi-hole FTL affected by Remote Code Execution (RCE) via dns.hostRecord Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:18:27.377Z
Updated: 2026-04-09T16:19:08.569Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-35518 vulnerable 2026-06-08 07:59:14.072653 Pi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:17:39.977Z
Updated: 2026-04-08T14:55:05.699Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-35517 vulnerable 2026-06-08 07:59:14.072397 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-35491 vulnerable 2026-06-08 07:59:14.055746 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.