Search
Find a vulnerability
Search criteria
16 vulnerabilities found for ftldns by pi-hole
CVE-2026-39849 (GCVE-0-2026-39849)
Vulnerability from nvd – Published: 2026-05-05 20:50 – Updated: 2026-05-08 14:12
VLAI
Title
Pi-hole FTL remote code execution via newline injection in dns.interface configuration
Summary
Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set (the default for many deployments), the configuration API is fully accessible without credentials, allowing a network-adjacent attacker to inject the payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and survives restarts. The strncpy in the code path limits the total interface field to 31 bytes, but payloads such as wlan0\ndhcp-script=/tmp/p fit within this constraint. The dnsmasq config validation introduced in FTL 6.6 only checks syntactic validity, so valid directives injected via newline pass validation successfully. This issue has been fixed in version 6.6.1.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/pi-hole/FTL/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/pi-hole/FTL/commit/0c46e4ec7fe… | x_refsource_MISC |
| https://github.com/pi-hole/FTL/releases/tag/v6.6.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39849",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T03:55:36.195107Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:12:44.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-9cqv-839p-gpq2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FTL",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003c 6.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set (the default for many deployments), the configuration API is fully accessible without credentials, allowing a network-adjacent attacker to inject the payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and survives restarts. The strncpy in the code path limits the total interface field to 31 bytes, but payloads such as wlan0\\ndhcp-script=/tmp/p fit within this constraint. The dnsmasq config validation introduced in FTL 6.6 only checks syntactic validity, so valid directives injected via newline pass validation successfully. This issue has been fixed in version 6.6.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T20:50:26.021Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-9cqv-839p-gpq2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-9cqv-839p-gpq2"
},
{
"name": "https://github.com/pi-hole/FTL/commit/0c46e4ec7fe57f762fce261625f2cf5d43806e6d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pi-hole/FTL/commit/0c46e4ec7fe57f762fce261625f2cf5d43806e6d"
},
{
"name": "https://github.com/pi-hole/FTL/releases/tag/v6.6.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pi-hole/FTL/releases/tag/v6.6.1"
}
],
"source": {
"advisory": "GHSA-9cqv-839p-gpq2",
"discovery": "UNKNOWN"
},
"title": "Pi-hole FTL remote code execution via newline injection in dns.interface configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39849",
"datePublished": "2026-05-05T20:50:26.021Z",
"dateReserved": "2026-04-07T19:13:20.378Z",
"dateUpdated": "2026-05-08T14:12:44.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35521 (GCVE-0-2026-35521)
Vulnerability from nvd – Published: 2026-04-07 15:20 – Updated: 2026-04-07 18:21
VLAI
Title
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection
Summary
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pi-hole/FTL/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35521",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T18:21:35.967672Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T18:21:43.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FTL",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0, \u003c 6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole\u0027s Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:20:26.583Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c"
}
],
"source": {
"advisory": "GHSA-vfmq-jrx3-wv3c",
"discovery": "UNKNOWN"
},
"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35521",
"datePublished": "2026-04-07T15:20:26.583Z",
"dateReserved": "2026-04-03T02:15:39.281Z",
"dateUpdated": "2026-04-07T18:21:43.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35520 (GCVE-0-2026-35520)
Vulnerability from nvd – Published: 2026-04-07 15:19 – Updated: 2026-04-09 14:35
VLAI
Title
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.leaseTime Newline Injection
Summary
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pi-hole/FTL/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35520",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T14:35:40.330714Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:35:45.884Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FTL",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0, \u003c 6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole\u0027s Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:19:21.875Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj"
}
],
"source": {
"advisory": "GHSA-fqv2-qhfh-ghcj",
"discovery": "UNKNOWN"
},
"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.leaseTime Newline Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35520",
"datePublished": "2026-04-07T15:19:21.875Z",
"dateReserved": "2026-04-03T02:15:39.280Z",
"dateUpdated": "2026-04-09T14:35:45.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35519 (GCVE-0-2026-35519)
Vulnerability from nvd – Published: 2026-04-07 15:18 – Updated: 2026-04-09 16:19
VLAI
Title
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.hostRecord Newline Injection
Summary
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pi-hole/FTL/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35519",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T16:12:50.932702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T16:19:08.569Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FTL",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0, \u003c 6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole\u0027s Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:18:27.377Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp"
}
],
"source": {
"advisory": "GHSA-wxhv-w77q-6qwp",
"discovery": "UNKNOWN"
},
"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dns.hostRecord Newline Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35519",
"datePublished": "2026-04-07T15:18:27.377Z",
"dateReserved": "2026-04-03T02:15:39.280Z",
"dateUpdated": "2026-04-09T16:19:08.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35518 (GCVE-0-2026-35518)
Vulnerability from nvd – Published: 2026-04-07 15:17 – Updated: 2026-04-08 14:55
VLAI
Title
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection
Summary
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pi-hole/FTL/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35518",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T14:54:51.921500Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T14:55:05.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FTL",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0, \u003c 6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole\u0027s Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:17:39.977Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m"
}
],
"source": {
"advisory": "GHSA-28g5-gg88-wh5m",
"discovery": "UNKNOWN"
},
"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35518",
"datePublished": "2026-04-07T15:17:39.977Z",
"dateReserved": "2026-04-03T02:15:39.280Z",
"dateUpdated": "2026-04-08T14:55:05.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35517 (GCVE-0-2026-35517)
Vulnerability from nvd – Published: 2026-04-07 15:16 – Updated: 2026-04-07 18:19
VLAI
Title
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.upstreams Newline Injection
Summary
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pi-hole/FTL/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35517",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T18:19:40.630593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T18:19:50.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FTL",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0, \u003c 6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole\u0027s Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:16:02.955Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj"
}
],
"source": {
"advisory": "GHSA-23w8-7333-p9fj",
"discovery": "UNKNOWN"
},
"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dns.upstreams Newline Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35517",
"datePublished": "2026-04-07T15:16:02.955Z",
"dateReserved": "2026-04-03T02:15:39.280Z",
"dateUpdated": "2026-04-07T18:19:50.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35491 (GCVE-0-2026-35491)
Vulnerability from nvd – Published: 2026-04-07 15:00 – Updated: 2026-04-07 17:52
VLAI
Title
Pi-hole FTL: CLI API sessions can import Teleporter archives and modify configuration
Summary
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pi-hole/FTL/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35491",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T17:52:41.306420Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T17:52:48.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FTL",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0, \u003c 6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole\u0027s Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates \u201cCLI\u201d API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:00:11.079Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq"
}
],
"source": {
"advisory": "GHSA-r7g8-3fj7-m5qq",
"discovery": "UNKNOWN"
},
"title": "Pi-hole FTL: CLI API sessions can import Teleporter archives and modify configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35491",
"datePublished": "2026-04-07T15:00:11.079Z",
"dateReserved": "2026-04-02T20:49:44.454Z",
"dateUpdated": "2026-04-07T17:52:48.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-29448 (GCVE-0-2021-29448)
Vulnerability from nvd – Published: 2021-04-15 15:25 – Updated: 2024-08-03 22:02
VLAI
Title
Stored DOM XSS in Pi-hole Admin Web Interface
Summary
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details.
Severity
7.6 (High)
CWE
- CWE-79 - {"CWE-79":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pi-hole/AdminLTE/security/advi… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.967Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "AdminLTE",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003c= 5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-15T15:25:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9"
}
],
"source": {
"advisory": "GHSA-cwwf-93p7-73j9",
"discovery": "UNKNOWN"
},
"title": "Stored DOM XSS in Pi-hole Admin Web Interface",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-29448",
"STATE": "PUBLIC",
"TITLE": "Stored DOM XSS in Pi-hole Admin Web Interface"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "AdminLTE",
"version": {
"version_data": [
{
"version_value": "\u003c= 5.4"
}
]
}
}
]
},
"vendor_name": "pi-hole"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9",
"refsource": "CONFIRM",
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9"
}
]
},
"source": {
"advisory": "GHSA-cwwf-93p7-73j9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29448",
"datePublished": "2021-04-15T15:25:14.000Z",
"dateReserved": "2021-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-03T22:02:51.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-39849 (GCVE-0-2026-39849)
Vulnerability from cvelistv5 – Published: 2026-05-05 20:50 – Updated: 2026-05-08 14:12
VLAI
Title
Pi-hole FTL remote code execution via newline injection in dns.interface configuration
Summary
Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set (the default for many deployments), the configuration API is fully accessible without credentials, allowing a network-adjacent attacker to inject the payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and survives restarts. The strncpy in the code path limits the total interface field to 31 bytes, but payloads such as wlan0\ndhcp-script=/tmp/p fit within this constraint. The dnsmasq config validation introduced in FTL 6.6 only checks syntactic validity, so valid directives injected via newline pass validation successfully. This issue has been fixed in version 6.6.1.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/pi-hole/FTL/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/pi-hole/FTL/commit/0c46e4ec7fe… | x_refsource_MISC |
| https://github.com/pi-hole/FTL/releases/tag/v6.6.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39849",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T03:55:36.195107Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T14:12:44.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-9cqv-839p-gpq2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FTL",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003c 6.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set (the default for many deployments), the configuration API is fully accessible without credentials, allowing a network-adjacent attacker to inject the payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and survives restarts. The strncpy in the code path limits the total interface field to 31 bytes, but payloads such as wlan0\\ndhcp-script=/tmp/p fit within this constraint. The dnsmasq config validation introduced in FTL 6.6 only checks syntactic validity, so valid directives injected via newline pass validation successfully. This issue has been fixed in version 6.6.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T20:50:26.021Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-9cqv-839p-gpq2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-9cqv-839p-gpq2"
},
{
"name": "https://github.com/pi-hole/FTL/commit/0c46e4ec7fe57f762fce261625f2cf5d43806e6d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pi-hole/FTL/commit/0c46e4ec7fe57f762fce261625f2cf5d43806e6d"
},
{
"name": "https://github.com/pi-hole/FTL/releases/tag/v6.6.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pi-hole/FTL/releases/tag/v6.6.1"
}
],
"source": {
"advisory": "GHSA-9cqv-839p-gpq2",
"discovery": "UNKNOWN"
},
"title": "Pi-hole FTL remote code execution via newline injection in dns.interface configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39849",
"datePublished": "2026-05-05T20:50:26.021Z",
"dateReserved": "2026-04-07T19:13:20.378Z",
"dateUpdated": "2026-05-08T14:12:44.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35521 (GCVE-0-2026-35521)
Vulnerability from cvelistv5 – Published: 2026-04-07 15:20 – Updated: 2026-04-07 18:21
VLAI
Title
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection
Summary
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pi-hole/FTL/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35521",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T18:21:35.967672Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T18:21:43.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FTL",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0, \u003c 6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole\u0027s Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP hosts configuration parameter (dhcp.hosts). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:20:26.583Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c"
}
],
"source": {
"advisory": "GHSA-vfmq-jrx3-wv3c",
"discovery": "UNKNOWN"
},
"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35521",
"datePublished": "2026-04-07T15:20:26.583Z",
"dateReserved": "2026-04-03T02:15:39.281Z",
"dateUpdated": "2026-04-07T18:21:43.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35520 (GCVE-0-2026-35520)
Vulnerability from cvelistv5 – Published: 2026-04-07 15:19 – Updated: 2026-04-09 14:35
VLAI
Title
Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.leaseTime Newline Injection
Summary
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pi-hole/FTL/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35520",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T14:35:40.330714Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:35:45.884Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FTL",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0, \u003c 6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole\u0027s Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:19:21.875Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj"
}
],
"source": {
"advisory": "GHSA-fqv2-qhfh-ghcj",
"discovery": "UNKNOWN"
},
"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.leaseTime Newline Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35520",
"datePublished": "2026-04-07T15:19:21.875Z",
"dateReserved": "2026-04-03T02:15:39.280Z",
"dateUpdated": "2026-04-09T14:35:45.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35519 (GCVE-0-2026-35519)
Vulnerability from cvelistv5 – Published: 2026-04-07 15:18 – Updated: 2026-04-09 16:19
VLAI
Title
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.hostRecord Newline Injection
Summary
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pi-hole/FTL/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35519",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T16:12:50.932702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T16:19:08.569Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FTL",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0, \u003c 6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole\u0027s Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:18:27.377Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp"
}
],
"source": {
"advisory": "GHSA-wxhv-w77q-6qwp",
"discovery": "UNKNOWN"
},
"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dns.hostRecord Newline Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35519",
"datePublished": "2026-04-07T15:18:27.377Z",
"dateReserved": "2026-04-03T02:15:39.280Z",
"dateUpdated": "2026-04-09T16:19:08.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35518 (GCVE-0-2026-35518)
Vulnerability from cvelistv5 – Published: 2026-04-07 15:17 – Updated: 2026-04-08 14:55
VLAI
Title
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection
Summary
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pi-hole/FTL/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35518",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T14:54:51.921500Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T14:55:05.699Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FTL",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0, \u003c 6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole\u0027s Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:17:39.977Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m"
}
],
"source": {
"advisory": "GHSA-28g5-gg88-wh5m",
"discovery": "UNKNOWN"
},
"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35518",
"datePublished": "2026-04-07T15:17:39.977Z",
"dateReserved": "2026-04-03T02:15:39.280Z",
"dateUpdated": "2026-04-08T14:55:05.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35517 (GCVE-0-2026-35517)
Vulnerability from cvelistv5 – Published: 2026-04-07 15:16 – Updated: 2026-04-07 18:19
VLAI
Title
Pi-hole FTL affected by Remote Code Execution (RCE) via dns.upstreams Newline Injection
Summary
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pi-hole/FTL/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35517",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T18:19:40.630593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T18:19:50.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FTL",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0, \u003c 6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole\u0027s Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:16:02.955Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj"
}
],
"source": {
"advisory": "GHSA-23w8-7333-p9fj",
"discovery": "UNKNOWN"
},
"title": "Pi-hole FTL affected by Remote Code Execution (RCE) via dns.upstreams Newline Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35517",
"datePublished": "2026-04-07T15:16:02.955Z",
"dateReserved": "2026-04-03T02:15:39.280Z",
"dateUpdated": "2026-04-07T18:19:50.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35491 (GCVE-0-2026-35491)
Vulnerability from cvelistv5 – Published: 2026-04-07 15:00 – Updated: 2026-04-07 17:52
VLAI
Title
Pi-hole FTL: CLI API sessions can import Teleporter archives and modify configuration
Summary
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pi-hole/FTL/security/advisorie… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35491",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T17:52:41.306420Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T17:52:48.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FTL",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0, \u003c 6.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole\u0027s Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates \u201cCLI\u201d API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:00:11.079Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq"
}
],
"source": {
"advisory": "GHSA-r7g8-3fj7-m5qq",
"discovery": "UNKNOWN"
},
"title": "Pi-hole FTL: CLI API sessions can import Teleporter archives and modify configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35491",
"datePublished": "2026-04-07T15:00:11.079Z",
"dateReserved": "2026-04-02T20:49:44.454Z",
"dateUpdated": "2026-04-07T17:52:48.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-29448 (GCVE-0-2021-29448)
Vulnerability from cvelistv5 – Published: 2021-04-15 15:25 – Updated: 2024-08-03 22:02
VLAI
Title
Stored DOM XSS in Pi-hole Admin Web Interface
Summary
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details.
Severity
7.6 (High)
CWE
- CWE-79 - {"CWE-79":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/pi-hole/AdminLTE/security/advi… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.967Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "AdminLTE",
"vendor": "pi-hole",
"versions": [
{
"status": "affected",
"version": "\u003c= 5.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-15T15:25:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9"
}
],
"source": {
"advisory": "GHSA-cwwf-93p7-73j9",
"discovery": "UNKNOWN"
},
"title": "Stored DOM XSS in Pi-hole Admin Web Interface",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-29448",
"STATE": "PUBLIC",
"TITLE": "Stored DOM XSS in Pi-hole Admin Web Interface"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "AdminLTE",
"version": {
"version_data": [
{
"version_value": "\u003c= 5.4"
}
]
}
}
]
},
"vendor_name": "pi-hole"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9",
"refsource": "CONFIRM",
"url": "https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-cwwf-93p7-73j9"
}
]
},
"source": {
"advisory": "GHSA-cwwf-93p7-73j9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29448",
"datePublished": "2021-04-15T15:25:14.000Z",
"dateReserved": "2021-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-03T22:02:51.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}