Vulnerability Description
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DHCP lease time configuration parameter (dhcp.leaseTime). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pi-Hole | Ftldns | >= 6.0, <= 6.5 |
Related Weaknesses (CWE)
References
- https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcjExploitVendor Advisory
- https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcjExploitVendor Advisory
FAQ
What is CVE-2026-35520?
CVE-2026-35520 is a vulnerability with a CVSS score of 8.8 (HIGH). FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnera...
How severe is CVE-2026-35520?
CVE-2026-35520 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35520?
Check the references section above for vendor advisories and patch information. Affected products include: Pi-Hole Ftldns.