Approved changes feed: RSS · Atom
cpe:2.3:a:pi-hole:ftl:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Pi Hole (525d0520-023b-5ac7-adae-b0bb743ce667) |
|---|---|
| Product | Ftl (9a2cde78-f94f-5fbf-a1b1-9eb6d5ee4aa5) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-39849 |
vulnerable | 2026-06-08 08:01:17.103942 |
Pi-hole FTL remote code execution via newline injection in dns.interface configuration
Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set (the default for many deployments), the configuration API is fully accessible without credentials, allowing a network-adjacent attacker to inject the payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and survives restarts. The strncpy in the code path limits the total interface field to 31 bytes, but payloads such as wlan0\ndhcp-script=/tmp/p fit within this constraint. The dnsmasq config validation introduced in FTL 6.6 only checks syntactic validity, so valid directives injected via newline pass validation successfully. This issue has been fixed in version 6.6.1.
Published: 2026-05-05T20:50:26.021Z
Updated: 2026-05-08T14:12:44.566Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-35521 |
vulnerable | 2026-06-08 07:59:14.073640 |
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:20:26.583Z
Updated: 2026-04-07T18:21:43.428Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-35520 |
vulnerable | 2026-06-08 07:59:14.073252 |
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.leaseTime Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:19:21.875Z
Updated: 2026-04-09T14:35:45.884Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-35519 |
vulnerable | 2026-06-08 07:59:14.072897 |
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.hostRecord Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:18:27.377Z
Updated: 2026-04-09T16:19:08.569Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-35518 |
vulnerable | 2026-06-08 07:59:14.072653 |
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection
HIGH (8.8)
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Published: 2026-04-07T15:17:39.977Z
Updated: 2026-04-08T14:55:05.699Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-35517 |
vulnerable | 2026-06-08 07:59:14.072397 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-35491 |
vulnerable | 2026-06-08 07:59:14.055746 | db.gcve.eu details were skipped to keep the page responsive. | Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.