FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
References
| Link | Resource |
|---|---|
| https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp | Vendor Advisory |
| https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp | Vendor Advisory |
Configurations
History
28 Apr 2026, 20:31
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Pi-hole
Pi-hole ftldns |
|
| CPE | cpe:2.3:a:pi-hole:ftldns:*:*:*:*:*:*:*:* | |
| References | () https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp - Vendor Advisory |
09 Apr 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp - |
07 Apr 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-07 16:16
Updated : 2026-04-28 20:31
NVD link : CVE-2026-35519
Mitre link : CVE-2026-35519
CVE.ORG link : CVE-2026-35519
JSON object : View
Products Affected
pi-hole
- ftldns