Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution (RCE) vulnerability in the DNS CNAME records configuration parameter (dns.cnameRecords). This vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters, ultimately achieving command execution on the underlying system. This vulnerability is fixed in 6.6.
AnalysisAI
Remote code execution in Pi-hole FTL DNS engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary system commands by injecting malicious dnsmasq configuration directives through newline characters in the DNS CNAME records parameter (dns.cnameRecords). Authentication requirements confirmed (CVSS PR:L - low privileges required). Publicly available exploit code exists. CVSS 8.8 with network attack vector and low complexity indicates high exploitability once authenticated access is obtained.
Technical ContextAI
FTLDNS (pihole-FTL) is the core DNS resolver and API engine for Pi-hole network-wide ad blocking software. The vulnerability stems from improper neutralization of special elements used in OS commands (CWE-78: OS Command Injection). The dns.cnameRecords configuration parameter passes user-controlled input to dnsmasq, the underlying DNS forwarder, without adequately sanitizing newline characters. An attacker with authenticated access to the Pi-hole administrative interface can inject arbitrary dnsmasq configuration directives by embedding newline-separated commands within CNAME record definitions. Because dnsmasq configuration directives can include dhcp-script and other parameters that execute external programs, this injection vector escalates to full remote code execution with the privileges of the FTL process, typically running as the pihole user or root depending on installation configuration.
RemediationAI
Upgrade Pi-hole FTL to version 6.6 or later, which contains fixes for the command injection vulnerability in dns.cnameRecords processing. Users should run 'pihole -up' or manually update the FTL component following Pi-hole's standard upgrade procedures documented at the project's GitHub repository. As interim mitigation for environments unable to immediately upgrade, restrict administrative interface access to trusted networks only, enforce strong authentication credentials, implement network segmentation to prevent Pi-hole from accessing critical internal systems, and audit existing CNAME record configurations for suspicious entries. Monitor system logs for unexpected dnsmasq restarts or configuration changes. Complete remediation guidance is available in the vendor security advisory at https://github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m.
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to inject arbitrary
Remote code execution in Pi-hole FTL 6.0 through 6.5 allows authenticated attackers to execute arbitrary commands via ne
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers with low privileges
Session hijacking in Pi-hole FTL versions prior to 6.6.1 stems from a race condition in the CivetWeb-based HTTP session
The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL
The realm configuration component of TIBCO Software Inc.'s TIBCO FTL Community Edition, TIBCO FTL Developer Edition, TIB
The realm server (tibrealmserver) component of TIBCO Software Inc. Rated high severity (CVSS 8.8), this vulnerability is
The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL
The FTL Server (tibftlserver), FTL C API, FTL Golang API, FTL Java API, and FTL .Net API components of TIBCO Software In
The Windows Installation component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition
The FTL Server (tibftlserver) and Docker images containing tibftlserver components of TIBCO Software Inc.'s TIBCO Active
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19685