Remote Code Execution Vulnerability in Pi-hole FTL Engine
CVE-2026-35521

8.8HIGH

Key Information:

Vendor: Pi-hole
Status: Ftl
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-35521?

The FTL engine of Pi-hole, from versions 6.0 through before 6.6, is susceptible to a Remote Code Execution (RCE) vulnerability that enables authenticated attackers to exploit the DHCP hosts configuration parameter. By injecting arbitrary dnsmasq configuration directives using newline characters, malicious users can achieve command execution on the underlying system. This threat highlights the importance of maintaining updated software environments to mitigate potential exploits. An update to version 6.6 resolves this issue, reinforcing the need for users to ensure they operate the latest version for secure functionality.

Affected Version(s)

FTL >= 6.0, < 6.6

References

https://github.com/pi-hole/FTL/security/advisories/GHSA-v...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35521 Data

JSON