Vulnerability Description
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS host record configuration parameter (dns.hostRecord). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pi-Hole | Ftldns | >= 6.0, <= 6.5 |
Related Weaknesses (CWE)
References
- https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwpVendor Advisory
- https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwpVendor Advisory
FAQ
What is CVE-2026-35519?
CVE-2026-35519 is a vulnerability with a CVSS score of 8.8 (HIGH). FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnera...
How severe is CVE-2026-35519?
CVE-2026-35519 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35519?
Check the references section above for vendor advisories and patch information. Affected products include: Pi-Hole Ftldns.