CVE-2026-35518
HIGHPi-hole FTL affected by Remote Code Execution (RCE) via dns.cnameRecords Newline Injection
Title source: cnaDescription
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m
Scores
CVSS v3
8.8
EPSS
0.0069
EPSS Percentile
47.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
CWE-93
Status
published
Products (2)
pi-hole/FTL
>= 6.0, < 6.6
pi-hole/ftldns
6.0 - 6.5
Published
Apr 07, 2026
Tracked Since
Apr 07, 2026