Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the upstream DNS servers configuration parameter (dns.upstreams). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
AnalysisAI
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers with low privileges to execute arbitrary system commands by injecting newline-delimited dnsmasq configuration directives into the upstream DNS servers parameter (dns.upstreams). The vulnerability requires network access with authentication (CVSS:3.1 PR:L) but has low attack complexity and no user interaction required. No public exploit identified at time of analysis, though technical details are available in the GitHub Security Advisory.
Technical ContextAI
Pi-hole FTL (Faster Than Light DNS) is the core DNS engine and API server for Pi-hole network-wide ad blocking. The vulnerability stems from improper input neutralization (CWE-78: OS Command Injection) in the dns.upstreams configuration parameter processing. When administrators configure upstream DNS servers through the FTL API, the system fails to sanitize newline characters in the input. Since FTL passes this configuration to the underlying dnsmasq DNS forwarder, an attacker can inject additional dnsmasq configuration directives by embedding newline-separated commands. Dnsmasq's configuration format allows directives that can execute external programs (such as dhcp-script or script-arp), enabling attackers to escalate from configuration injection to arbitrary command execution on the host system running Pi-hole. This affects the cpe:2.3:a:pi-hole:ftl product across all 6.x versions prior to the patched release.
RemediationAI
Upgrade Pi-hole FTL to version 6.6 or later immediately to address this vulnerability. The vendor-released patch version 6.6 contains input validation fixes that prevent newline injection in the dns.upstreams parameter. Administrators can update by running the standard Pi-hole update command: 'pihole -up' or by manually updating the FTL component through the package manager on their distribution. Until patching is complete, implement the following temporary mitigations: restrict network access to the Pi-hole admin interface to trusted management networks only using firewall rules, enforce strong authentication credentials and enable two-factor authentication if available through reverse proxy configurations, audit all accounts with administrative access to Pi-hole and revoke unnecessary privileges, and monitor system logs for unexpected dnsmasq configuration changes or suspicious process execution. Review the complete remediation guidance and security advisory at https://github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj for additional context on the vulnerability and patch details.
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to inject arbitrary
Remote code execution in Pi-hole FTL 6.0 through 6.5 allows authenticated attackers to execute arbitrary commands via ne
Remote code execution in Pi-hole FTL DNS engine versions 6.0 through 6.5 allows authenticated attackers to execute arbit
Session hijacking in Pi-hole FTL versions prior to 6.6.1 stems from a race condition in the CivetWeb-based HTTP session
The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL
The realm configuration component of TIBCO Software Inc.'s TIBCO FTL Community Edition, TIBCO FTL Developer Edition, TIB
The realm server (tibrealmserver) component of TIBCO Software Inc. Rated high severity (CVSS 8.8), this vulnerability is
The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL
The FTL Server (tibftlserver), FTL C API, FTL Golang API, FTL Java API, and FTL .Net API components of TIBCO Software In
The Windows Installation component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition
The FTL Server (tibftlserver) and Docker images containing tibftlserver components of TIBCO Software Inc.'s TIBCO Active
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19684